[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1930
  • Last Modified:

MAC Address Filtering/Port Security

We need to replace our aged switch with a new one capable of MAC Address Filtering.  I understand it is simple to change your MAC address, but this is a manadatory client security requirement.

I should point out that I am a simpleton, and have only a basic understanding of networking and little experience.

So... lets say we get a decent Cisco Managed Switch (e.g. http://uk.insight.com/en-gb/productinfo/network-switches/LNKNA05YX2) and we want to enable the MAC Address Filtering feature, providing only the MAC addresses of company devices.

I have a couple of simple questions;

1 Do the MAC addresses work as a pool, or are they necessarily tied to individual ports on the switch?  ie. will my laptop then continue to work anywhere I plug it in in the building or only at predefined desks/floorports?

2 Due to a shortage of floor ports, we have had to use small Netgear 4 port switches at various locations.  How will this work with the new Managed Switch in the server room?  Will the 4 port switch be invisible to the new Managed Switch, or will this 4 port switch have a MAC address of its own and actually serve to undermine the MAC Address Filtering on the new Managed Switch, because anything can be plugged into it?

Thanks in advance

vasp
0
vasp
Asked:
vasp
  • 10
  • 10
  • 5
  • +1
2 Solutions
 
pritamduttCommented:
You can define a common Mac based ACL of all the company device mac addresses and then assign this ACL to various required ports.


Regards,
0
 
pritamduttCommented:
Sorry forgot to answer for question 2.

Considering that switch Netgear switch would be a layer 2 device, it should work fine with above configuration.


Regards,
0
 
vaspAuthor Commented:
ACL sounds good.  So, create an ACL with all of the MAC addresses I want (>50), and then this ACL could be applied to every port on the switch, thus enabling any machine to be plugged into any network point in the building?  Is this possible on any Switch which is capable of "MAC Address Filtering" or "Port Security"?

Re. the Netgear switch, I take this would defeat the point of MAC address filtering - I should consider supergluing the cables in those ports...?
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
pritamduttCommented:
This should be possible on all switches capable of mac address filtering, but be sure to check the documentation once..


Hope this helps!
Regards,
0
 
rochey2009Commented:
Hi,

What are the goals of the security policy?
0
 
pritamduttCommented:
The goals of a security policy are defined by the applicable organization.
However in broad the goal of a security would be to prevent unauthorized access to information during rest or in motion, and ensure
Confidentiality: Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems.
Integrity: In information security, integrity means that data cannot be modified undetectably
Availabilty: For any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. Ensuring availability also involves preventing denial-of-service attacks.

Hope this helps...

Regards,
0
 
rochey2009Commented:
You could use cisco port security but you would have to configure the mac-addresses of your roaming devices on multiple switchports.
0
 
vaspAuthor Commented:
The aim is to prevent unauthorised devices from talking to the file server (network shares etc.).

Greatest risk is 'Insider risk'... either malicious or foolish actions... e.g. user brings in their own laptop and plugs it in, uses their username and password to connect to a network share - copies files to and/or from their personal laptop.  It might not even be theirs - it could be a client's laptop - either way an engineered preventive solution is more desirbale than a procedure that says to not do it.

I realise there are probably better (more expensive) ways of achieving this, but this will keep my client's security dept happy.  But before I spend any money I want to confirm my understanding of how MAC address control works on a cisco switch...

If MAC Address Filtering can only lock a machine to a specific port it'd be really awkard to manage, plus, a laptop could only be used on predefined ports?  I would want any whitelisted MAC address to work on any port...
0
 
rochey2009Commented:
Maybe 802.1X port based authentication would be more suitable to your requirements.
0
 
vaspAuthor Commented:
I'm afraid I have no idea what that means - even after googling it.

It did seems to be a Wireless thing...?  We are wired only (again, another client security requirement)...
0
 
vaspAuthor Commented:
Might be an option.  Won't pretend I fully understand that article.  Dependent on availability of a RADIUS service though?  If our (single) server crashed, noone could get out to the net?  Is MAC address filtering not more reliable because we're looking at ?
0
 
pritamduttCommented:
Hi,

Considering you have not yet bought these switches. I would suggest you one of the best technology architecture which can address the concerns raised by you.

The environment for this solution would include:
- Windows Active Directory for User Authentication
- Windows Certificate Services for Device & User Authentication
- RADIUS Server for Device Authentication.

Please note that Certificate based Authentication can be considered best solution considering... You can control who to issue, and even revoke certificates.

Let me give you a little snapshot on how the entire thing works.

Scenario 1: A Genuine Authorised Device

User connects his device to network, Switch generates 802.1x Certificate based Authentication Request, Machine supplies the  certificate issued to machine by Org. CA, the certificate is validated by Org CA and on successful authentication, port is configured to use Machine VLAN. Machine VLAN has limited access to network primarily for installing various updates such as AV/ Windows etc.

Scenario 2: A Genuine Authorised User on Authorised Device

User connects his device to network, and logs on to Org. Domain. Switch generates 802.1x Certificate based Authentication Request, Machine supplies the  certificate issued to Domain User by Org. CA, the certificate is validated by Org CA and on successful authentication, port is configured to specific User VLAN. User VLAN can have specified access rules in place for the User Group.

This goes a step further in ensuring that at the network level you can limit access to certain server services to specific group of people.

Scenario 3: An unauthorized Device

User connects his personal device to network, Switch generates 802.1x Certificate based Authentication Request, Machine may supply its certificate, and may be sent for validation to Org CA and would fail. On failure, port is configured to use restricted VLAN. Restricted VLAN would not give any access to network.

Please visit : http://en.wikipedia.org/wiki/IEEE_802.1X to read more on 802.1x authentication.

Hope this sets up a new thought direction for you.

Regards,
0
 
SouljaCommented:
The previous comments are correct regarding 802.1x. This would be your best solution.

The above scenarios are valid solutions for 802.1x using EAP-TLS, which is expensive as it requires a certificated to be installed on every client as well as the radius server. What you can do as a more affordable solution is use PEAP-MSCHAP, which only require the server to have a CA certificate. The client validates the server, and the server uses an external identity store such as Active Directory to validate the computer is in Active Directory. This prevent Authorized User, Unauthorized Device scenarios.

Another option is to use MAC Authentication Bypass, this will allow you to store all of your MAC addressed on the Radius server and the devices will be authenticated by their Mac address.

You can also use a combination of the two. If 802.1x fails, then the switch try MAB.

Many options.
0
 
vaspAuthor Commented:
Thanks for the explanatory notes.

As I was reading I suddenly remembered.... the laptops we use have a secure VPN 'lockdown client' installed that MUST have the ability to ping a particular device on the network (when initiated by the user as part of the logon process).  Until the ping response is received, no other network activity is possible, even user authentication with the DC.  Once the ping response is received user authentication occurs, group policies are applied and logon scripts run.

I do not think 802.1x port based authentication will work for our laptops (a third of our machines).  We cannot change our VPN solution.

I think this points us back to the MAC address filtering on the switch... despite it's shortcomings...

vasp
0
 
pritamduttCommented:
A little correction @Soulja though you may require to install certificate on each machine you don't need to buy them as you could have your personal org. specific internal CA with no relevance to outside world.

As regards to deploying, it is pretty easy using GPO once the machines are part of domain.


MAC auth is always my lastest of last option, considering if I wish, I can use my company laptop's mac address on my personal laptop and gain access to network.

Hope this helps!

I have nearly 20 VLANs running using 802.1x AUTH on wired and wireless network with single Radius and CA without any issues. Just keep backups..

Regards,
0
 
pritamduttCommented:
Hey vasp @ remember the Scenario 1: A Genuine Authorised Device given above. Every Authenticated Machine Device will be able access permitted services, which could include that particular VPN Device.

Regards,
0
 
vaspAuthor Commented:
Unfortunately the VPN client will only allow pinging of that particular network device before it lets ANY other network communication occur.

This is the sequence of events...

1. Turn on laptop.
2. At logon screen, user initiates the ‘vpn lockdown client mode test’, a custom screen (this pings a particular network device).
3. Ping response received.
4. VPN lockdown client switches off (but pings network device every few minutes to confirm secure location).
5. User credentials passed to DC for authentication.
6. User authenticated.
7. Group policies applied and logon scripts run.
8. User logged on.

I don't think it will allow 802.1X port based authentication to work properly...
0
 
SouljaCommented:
You ping issue would not be a problem since the 802.1x authentication of the machine will occur transparent and before the user even reaches the login screen. Thus, the port will be authenticated an open by the time the user initiates.

In regards to MAC Spoofing, there are available solutions that offer MAC Profiling that would prevent spoofing of Mac addresses. Specifically, Cisco ISE, but this is an expensive solution.

@pritamdutt

While that is an option, you know very well using self-signed certificates for a security deployment is like mixing oil and water. Definitely not best practice at all.
0
 
pritamduttCommented:
Yes I agree with what you are saying, but in case you have your own CA Setup with 2048 bit encryption, I wouldn't worry too much ... Only thing is this solution is only as much secure as is access to your Private CA.


Regards.
0
 
SouljaCommented:
Agreed.
0
 
vaspAuthor Commented:
You ping issue would not be a problem since the 802.1x authentication of the machine will occur transparent and before the user even reaches the login screen. Thus, the port will be authenticated an open by the time the user initiates.

OK, after a little reading, and conversations with the VPN manufacturer I believe I understand why MAB would work with our VPN client.

The previous comments are correct regarding 802.1x. This would be your best solution.

The above scenarios are valid solutions for 802.1x using EAP-TLS, which is expensive as it requires a certificated to be installed on every client as well as the radius server. What you can do as a more affordable solution is use PEAP-MSCHAP, which only require the server to have a CA certificate. The client validates the server, and the server uses an external identity store such as Active Directory to validate the computer is in Active Directory. This prevent Authorized User, Unauthorized Device scenarios.

Another option is to use MAC Authentication Bypass, this will allow you to store all of your MAC addressed on the Radius server and the devices will be authenticated by their Mac address.

You can also use a combination of the two. If 802.1x fails, then the switch try MAB.

Many options.

Provision of a dedicated RADIUS server is not possible.  But I believe it could still be done using MS IAS on our DC, and user accounts with logon names the same as the MAC addresses of the PCs/laptops on the domain...

If so, is this configuration not a bit of a security risk?  User accounts with username and password the same as the MAC address etc.?
If the DC, or just the IAS service went down, would all PCs/laptops not lose all connection?

Is this not a lot of effort to achieve what MAC Address Filtering could do?

vasp
0
 
SouljaCommented:
You could do MAC filtering but keeping mac in a central location is ideal. You can use FreeRadius if cost is an issue.  Cisco switches have a critical auth feature, so when they can't communicate with the radius server, the ports can either fail over to a critical vlan, or just fail open.
0
 
pritamduttCommented:
@Vasp It appears that you are still tied to the thought of using MAC Addresses, even with 802.1x setup, but in my experience as yourself stated is not the best solution.

If you look back on the solution proposed by me, you do not need to buy any additional hardware/software if your Switches support 802.1x authentication.

- Active Directory is already available
- IAS  (Radius) is available as part of windows server
- Windows Certificate Authority is available as part of windows server

Then why not go for an security effective solution?

Regards,
0
 
SouljaCommented:
I agree, if he has those Microsoft services, I would definitely go 802.1x. Mac authentication is always a supplement for 802.1x, but never a replacement. Regardless, you can still use the MAC authentication for you non-802.1x devices such as printers.
0
 
vaspAuthor Commented:
Apologies for the delay getting back.

OK so I've spoken to the tech support dept of our VPN supplier.  Apparently the VPN software encrypts everything in each packet except for the L2 headers/footers (seems obvious now - how else could it work!?).  Authentication based solely upon layer 2 addressing will work i.e. MAC address filtering / port security or 802.1x MAB should work.

However, going back to the sequence of events I set out earlier - I've added a couple of steps:

1. Turn on laptop.
1a. All network communication is encrypted.
2. At logon screen, user initiates the ‘vpn lockdown client mode test’, a custom screen (this pings a particular network device).
2a. ICMP is permitted by the switch running 802.1x port based autentication?
3. Ping response received.
4. VPN lockdown client switches off (but pings network device every few minutes to confirm secure location).
4a. Switch requests authentication credentials (certificate).
4b. Switch contacts server to verify the certificate.
4c. If server approves, all traffic on switchport is enabled.
4d. Laptop gets IP address from DHCP server.

5. User credentials passed to DC for authentication.
6. User authenticated.
7. Group policies applied and logon scripts run.
8. User logged on.

I have ordered a Cisco Catalyst 2960-24TC-S to do some testing - the unknown (for me at least) is if ICMP will be allowed through the switch without authentication (i.e. will we get past step 2a above)?
0
 
pritamduttCommented:
Hi @vasp.

You cannot have step 2a... IP Ping without having IP Address allocated to the the machine.

So, I assume you already have received the IP Address before Step 2a is performed...


Regards,
0
 
vaspAuthor Commented:
Gotcha. So the sequence should look more like:

1. Turn on laptop.
1a. Laptop gets IP address from DHCP server.
1b. All network communication is encrypted (by the VPN software).

2. At logon screen, user initiates the ‘vpn lockdown client mode test’, a custom screen (this pings a particular network device).
2b. ICMP is permitted by the switch running 802.1x port based autentication?
3. Ping response received.
4. VPN lockdown client switches off (but pings network device every few minutes to confirm secure location).
4a. Switch requests authentication credentials (certificate).
4b. Switch contacts server to verify the certificate.
4c. If server approves, all traffic on switchport is enabled.

5. User credentials passed to DC for authentication.
6. User authenticated.
7. Group policies applied and logon scripts run.
8. User logged on.

The question remains - will the switch operating 802.1x port based autentication allow pings?

I will update this following tests.

Guys - thanks for your patience with me!

Regards

vasp
0
 
vaspAuthor Commented:
Gents,

To confirm the VPN product we are using is quite a serious bit of kit and limits our company laptops to layer 2 communication before the location is confirmed.  This means it cannot be compatible with 802.1x authentication which would've been the ideal.  So we are stuck with port security on the switches themselves, with the limitations that come with it.

Apologies for the delayed response closing this one off - I do appreciate your help.

Regards

vasp
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 10
  • 10
  • 5
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now