Understanding Layer 2 switch port security

Safe Switch

802.1X

Another approach to port security is implemented through the IEEE 802.1X network standard [5], which is a scalable, wired network authentication solution for port-based network access control. As shown in Figure 9, the client device (supplicant) requests to attach to the switch port by using the Extensible Authentication Protocol (EAP). The EAP message includes authentication information such as username, password, MAC address, or even digital certificate. When the switch (authenticator) receives the request, it sends the credential to an authentication server, which may be a Remote Authentication Dial-In User Service (RADIUS) server or an agent that connects to an Active Directory server. Finally, the authenticator allows the request if the provided information is validated.

Figure 9: IEEE 802.1X connection model.

Conclusion

Although wireless connections are very common nowadays, wired networks are still widely used for commercial office networks because of their high speed, stability, and security. The basic design of the wired Ethernet network puts the security on the perimeter and assumes all users on the local network are trusted. An intruder who is able to attach to a switch within the local network can easily gather information for an attack – unless you implement some form of port security. Individual port security configuration should be used on small- to medium-sized networks. For a large network infrastructure, you might want to consider the more scalable 802.1X authentication solution.

The Author

Jan Ho is a network engineer living in Hong Kong. He writes network tutorials at http://jannet.hk.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Detecting and analyzing man-in-the-middle attacks
    Wireshark and a combination of tools comprehensively analyze your security architecture.
  • Spanning Tree Protocol
    Ethernet is so popular because it simply works and is inexpensive. However, the administration side looks a bit more complicated: For the network to run smoothly, the admin might need to make important decisions about the Spanning Tree protocol.
  • Segmenting networks with VLANs
    Network virtualization takes very different approaches at the software and hardware levels to divide or group network resources into logical units independent of the physical layer. It is typically a matter of implementing secure strategies. We show the technical underpinnings of VLANs.
  • Network overlay with VXLAN
    VXLAN addresses the need for overlay networks within virtualized data centers accommodating multiple tenants.
  • Link Encryption with MACsec
    MACsec encrypts defined links with high performance and secures Layer 2 protocols between client and switch or between two switches.
comments powered by Disqus