Security Basics mailing list archives
RE: MAC level authentication or filtering
From: "Jay Archibald" <jay.archibald () comcast net>
Date: Sat, 9 Oct 2004 13:03:41 -0600
Jay - Can you send me a sanitized copy of the switch config file? I am
interested to see how you have implemented MAC
authentication on the ports. Your scheme seems to be a lot more simple
than that recommended by Cisco a couple of
months ago with the Cisco User Registration Tool (URT) which has a
requirement to the VTP on all switches.
Have you considered port-based authentication with 802.1x protocol? Thanks, Craig.
Craig, I have attached an example of a config for a Cisco Catalyst 2950T switch. Dynamic VLANs are very simple to configure on a switch. It is setting up the TACACS server that is time consuming, but you only have to do it once per mac-address. As for the switch you only need two commands: vmps server 192.168.18.3 primary (this tells the switch where the TACACS server is) switchport access vlan dynamic (this command which ports are dynamic) As I mentioned before the TACACS server needs to have a database setup which tells the switch which VLAN to assign the port according to the mac-address of the network host. The network host will be on the same VLAN no matter where it connects in the network. TACACS can be setup to have a default VLAN for mac-addresses that are not defined in the database. To protect your network from these unknown network hosts all you need to do is filter that default VLAN and the unknown mac-addresses will have limited network access. For example, you can allow the this VLAN to access the Internet but restrict access to any other part of your network. This is an excellent way to protect your network from users bringing in their own laptops or other network devices. I have also included an example on interface fa0/1 and fa0/3 that will only allow a defined mac-address to forward packets on that port. Any other mac-address is blocked. This is very useful for servers that nee 100% of the bandwidth or if you do not want anything else but a specific host to connect to that port. With this port security configuration you do not have to worry about users bringing in hubs, switches or access points and connecting them to your network. Port security is not limited to only one mac-address per port. You can set the port up with additional mac-address if desired. Although this can be very useful I would only recommend it for parts of a network that are very static in terms of where network hosts connect. switchport port-security switchport port-security violation restrict switchport port-security maximum 1 switchport port-security mac-address 0800.20a8.3678 I do need to admit that both of these examples are subject to mac-address spoofing as mentioned in other posts. It does however stop the 99% of users that do not know what mac-address spoofing is from connecting a laptop up to your network that is infected with a Virus and infecting your network. For the other 1% the users that know how to spoof a mac-address and gain access the answer is set their NIC to full duplex and the switch port to half duplex ;). That will teach them. For those 1% this is where the Cisco User Registration Tool (URT) comes into play. Concerning VTP...I do not use VTP in my network. I don't like it. All it takes is one switch with a higher revision number added to your network with an empty VLAN database and your network is gone. It has happened to me...***PANIC***. I set all my switches to VTP Transparent mode and manually add the VLANs I want on the switch. You do however have to use VLAN trunking between your switches, but by manually adding the desired VLANs per switch you control what VLANs are allowed on that switch. Regards, Jay Archibald vmps server 192.168.18.3 primary ! spanning-tree mode rapid-pvst no spanning-tree optimize bpdu transmission spanning-tree extend system-id spanning-tree uplinkfast ! ! ! ! interface FastEthernet0/1 switchport access vlan dynamic switchport mode access switchport port-security switchport port-security violation restrict switchport port-security mac-address 0800.20a8.3678 switchport block multicast no cdp enable spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/2 switchport access vlan dynamic switchport mode access switchport block multicast no cdp enable spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/3 switchport access vlan dynamic switchport mode access switchport port-security switchport port-security violation restrict switchport port-security mac-address 0080.d406.004a switchport block multicast no cdp enable spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/4 switchport access vlan dynamic switchport mode access switchport block multicast no cdp enable spanning-tree portfast spanning-tree bpduguard enable -----Original Message----- From: Craig Sent: Saturday, October 09, 2004 9:00 AM To: jay.archibald () comcast net Subject: FW: MAC level authentication or filtering Jay - Can you send me a sanitized copy of the switch config file? I am interested to see how you have implemented MAC authentication on the ports. Your scheme seems to be a lot more simple than that recommended by Cisco a couple of months ago with the Cisco User Registration Tool (URT) which has a requirement to the VTP on all switches. Have you considered port-based authentication with 802.1x protocol? Thanks, Craig. -----Original Message----- From: Jay Archibald [mailto:jay.archibald () comcast net] Sent: Friday, October 08, 2004 12:57 PM To: dnardoni () firstresponseconsulting com; security-basics () securityfocus com Subject: RE: MAC level authentication or filtering Mr. Nardoni If you have managed switches in your network that can use dynamic VLANs you have your answer. I will use Cisco products for an example since that is what I use. If you have dynamic VLANs enabled, the switch will search a database (TACACS) of mac-addresses to see what VLAN to assign to the port. You then populate the TACACs database with the "allowed mac-addresses" and their assigned VLAN which has access to your servers. When an unknown mac-address is connected to a switch, the switch will put it into a default VLAN. All you have to do is filter that VLAN. You may want to filter access for this VLAN to the Internet and nothing else. Additionally you can turn logging on the switch and send the syslogs to a syslog server. This will record everything that is being connected to the network and what VLAN is being assigned. This is a little configuration work up front, but it allows you to control the known, and protects you from the unknown. Regards, Jay Archibald | -----Original Message----- | From: David Nardoni [mailto:dnardoni () firstresponseconsulting com] | Sent: Thursday, October 07, 2004 09:54 | To: security-basics () securityfocus com | Subject: MAC level authentication or filtering | | | I need a solution that will allow me to prevent a user from | coming in to my | office and plugging in a laptop and gaining access to the network. | | I have users that are currently using thin clients to connect | to the main | server to do all their processing. If a legitimate user turns bad and | decides to bring in a system (laptop) from home and connect it to the | network and proceed to use their proper username and password | to gather | information from terminal services, I want to be able to | recognize that they | have plugged in an unauthorized system and keep them from | gaining access to | the network. | | I welcome all ideas no matter what vendor solution or no | matter how simple | or complex. If you need more info on the situation let me know. | | | Dave Nardoni CISSP | First Response Consulting Services, Inc. | dnardoni () firstresponseconsulting com --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.774 / Virus Database: 521 - Release Date: 10/7/2004
Attachment:
example.txt
Description:
Current thread:
- RE: MAC level authentication or filtering, (continued)
- RE: MAC level authentication or filtering Jay Archibald (Oct 08)
- Re: MAC level authentication or filtering GuidoZ (Oct 08)
- Re: MAC level authentication or filtering Josh Mills (Oct 08)
- Re: MAC level authentication or filtering Jerry Eblin (Oct 08)
- RE: MAC level authentication or filtering Paris E. Stone (Oct 08)
- Fw: MAC level authentication or filtering GUs (Oct 08)
- RE: MAC level authentication or filtering Roy Sgan-Cohen (Oct 08)
- RE: MAC level authentication or filtering Mike (Oct 08)
- FW: MAC level authentication or filtering David Nardoni (Oct 08)
- RE: MAC level authentication or filtering Roy Sgan-Cohen (Oct 08)
- RE: MAC level authentication or filtering Jay Archibald (Oct 12)