Solved

port security report

Posted on 2016-10-03
11
25 Views
Last Modified: 2016-10-12
We have port security set on our Cisco switches. The problem is that we have all ports active with dummy MAC's assigned initially. This causes an alert when a rouge device is plugged in which is good.  What isn't good is if we move a device from one port to another the old port doesn't get the dummy MAC assigned leaving it vulnerable to a rouge device.  We would like to have something that can look at ports to:

1. check for ports with port-security not turned on
2. check for ports with port-security turned on but no, or not enough since we also have phones on some of the same ports, MAC's assigned to it.  
3. send an email daily with the results of 1&2

Thank you
0
Comment
Question by:pony10us
  • 6
  • 4
11 Comments
 
LVL 26

Author Comment

by:pony10us
Comment Utility
I have added Powershell and Windows Batch to the catagories.  I have all the configs in text files so could this be accomplished by reading the files and looking for missing information?
0
 
LVL 26

Expert Comment

by:Predrag Jovic
Comment Utility
What isn't good is if we move a device from one port to another the old port doesn't get the dummy MAC assigned leaving it vulnerable to a rouge device.
Just configure port not to forget address that was on port. Set switchport port-security mac-address sticky in combination with switchport port-security aging to not to forget MAC address (default behavior). After device is moved to another port you can still have MAC address of previous device assigned to that port.
2. check for ports with port-security turned on but no, or not enough since we also have phones on some of the same ports, MAC's assigned to it.
3. send an email daily with the results of 1&2
That is job for network configuration manager (NCM).

But, anyway, looks like that better solution for your needs is to use RADIUS in your network.
If MAC address is not already in RADIUS it should not get access to network.
0
 
LVL 26

Author Comment

by:pony10us
Comment Utility
Okay, a little more background might be helpful. We use Kiwi CatTools to backup our configurations and also to report on changes. Audit and management don't feel that is sufficient and I tend to agree. It tells us of changes but is too time consuming to go through and discover ports with incorrect/missing port-security.

What we are looking for is a way to receive a daily email with that information.

This is what a typical port looks like when configured properly.  

interface FastEthernet0/6
 description Fa0/6
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 100
 switchport port-security maximum 2
 switchport port-security maximum 2 vlan access
 switchport port-security maximum 1 vlan voice
 switchport port-security
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0000.85bc.ad20 vlan access
 switchport port-security mac-address sticky aaaa.0108.a006 vlan voice

Since there is no phone currently attached to this port the last line has a dummy MAC assigned.

No let's say the computer on this port is moved to another port on the same switch today. Since you can't have the same MAC on two ports the second to last line would be removed so that the computer will work on the new port. This can be done either by a third party switch port management tool we use or by someone actually accessing the switch remotely and putting in the "no" command.  Either way it results in the configuration being changed to:

interface FastEthernet0/6
 description Fa0/6
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 100
 switchport port-security maximum 2
 switchport port-security maximum 2 vlan access
 switchport port-security maximum 1 vlan voice
 switchport port-security
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky aaaa.0108.a006 vlan voice

This leaves the port vulnerable to someone connecting a rouge computer to the port and not tripping the port security.  Ideally a dummy MAC would be assigned however that almost never gets done.

We have lots of moves daily so we are looking for a way to receive an email every day that lists the switch and port that either doesn't have port-security set or is missing one or more of the lines that have the MAC.  

There are other ways to do this however this is what our audit and management have asked for.  It should be easy enough to accomplish since we have all the configurations saved nightly in text files.  If they were stored on a Linux box we could simply use GREP however they are stored on a windows box.

We do use RADIUS for any outside access to the network however we can't lock that down by MAC since some people use their own computers and may sometimes need to use a different computer altogether.  We use MFA so it doesn't matter what machine they use.
0
 
LVL 26

Expert Comment

by:Predrag Jovic
Comment Utility
No let's say the computer on this port is moved to another port on the same switch today. Since you can't have the same MAC on two ports the second to last line would be removed so that the computer will work on the new port.
Almost true, but you can have two ports configured with the same switchport port security MAC address. It is just MAC address that is allowed to use port, but not actual MAC address in CAM table.
So you don't have to use "no" command, previously assigned MAC addresses can stay on port without any risk (permits that host to use port, but not other hosts).. Try it, but it is basically the same as using the same dummy address everywhere.
0
 
LVL 26

Author Comment

by:pony10us
Comment Utility
We run a unicast environment which does not permit the same MAC on multiple ports on the same physical switch. When we try to move a machine from one port to another it tells us that it has found that MAC on another port and puts the new port into err-disabled.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 21

Assisted Solution

by:eeRoot
eeRoot earned 250 total points
Comment Utility
It sounds like your needs are beyond what plain port security can do & you need to look at a NAC (network access control) solution.  Software like OpenNAC or Cisco ISE can authenticate PC's based on certificates, and IP phones based on MAC OUI.  Configuring NAC is a major project though, because of all the security settings that are needed to be in place.

Keep in mind that port security is an older security feature that dates back to the days of heavy desktop PC's that did not move around very often.  It was not intended to handle devices that move around,or wireless devices.  NAC is a complicated system to install and maintain, but it si the best option for current security needs.
0
 
LVL 26

Expert Comment

by:Predrag Jovic
Comment Utility
When we try to move a machine from one port to another it tells us that it has found that MAC on another port and puts the new port into err-disabled.
Yes, I totally forgot about that one, it is enough just to have MAC configured on port in the same VLAN.
A security violation occurs in either of these two situations:

- When the maximum number of secure MAC addresses is reached on a secure port and the source MAC address of the ingress traffic differs from any of the identified secure MAC addresses
  In this case, port security applies the configured violation mode.
- If traffic with a secure MAC address that is configured or learned on one secure port attempts to access another secure port in the same VLAN
Learned MAC addresses can be easily removed from old port (not to wait MAC age timer) by issue clear mac address-table interface Gi x/y, but I totally forgot for the first part (bolded). I tested it with packet tracer just in case and in packet tracer everything is OK with that scenario - It does not reflect reality. :)
0
 
LVL 26

Author Comment

by:pony10us
Comment Utility
@eeRoot

Thank you, I will look into Cisco ISE since we are run Cisco exclusively.  However, I am not sure that it is really worth the effort due to our size.  

@Predrag Jovic

Thank you, I have looked at several options but basically all I need is a daily email showing me what ports either don't have port security configured or don't have the proper, or any, MAC's assigned.  

Since I have the configurations backed up nightly isn't there something similar to Linux's GREP that can be used to look at the configuration text files and create such a report? We are not looking to actually lock the network down any tighter.  It is just that the examiners (audit) are complaining that we are not monitoring our exiting controls properly and therefore some holes have happened.

I hope that all makes sense.
0
 
LVL 26

Assisted Solution

by:Predrag Jovic
Predrag Jovic earned 250 total points
Comment Utility
Well, that is typically job for NCM. One of options is compliance. You can create scripts to check configurations, run scripts during the night as you do and send reports afterwards. I don't know tools that already have templates for what you need, but for sure you can create scripts.
I guess that you can script what you need in Kiwi CatTools.
0
 
LVL 26

Accepted Solution

by:
pony10us earned 0 total points
Comment Utility
Thank you, third party software would probably be more elegant than what I came up with I did end up writing a PS script that sort of does what I am after.  It lists the port security settings for all ports (interfaces) and we just have to read the report to locate ones that are not correct.

Here is the script:

function sendMail()
{
	$sendTo = "user@domain.com", "user2@domain.com" #Multiple valuses separated by coma
	$sendFrom = "PowerShell_Report@domain.com"
	$mailSubject = "PowerShell Port Security Report for Branch $($number)"
	$mailBody = "Branch $(number) switch port security report" #$output
	Send-MailMessage -Subject $mailSubject -From $sendFrom -To $sendTo -body $mailBody -Attachments "C:\Program Files (x86)\CatTools3\Configs\Branch_0$($number)_Switchs\BR0$($number)switch.txt" -smtpServer mail.domain.com
} #End function sendMail

function sendMail2()
{
	$sendTo = "user@domain.com", "user2@domain.com" #Multiple valuses separated by coma
	$sendFrom = "PowerShell_Report@domain.com"
	$mailSubject = "PowerShell Port Security Reportfor Branch $($number)"
	$mailBody = "Branch $($number) switch port security report" #$output
	Send-MailMessage -Subject $mailSubject -From $sendFrom -To $sendTo -body $mailBody -Attachments "C:\Program Files (x86)\CatTools3\Configs\Branch_$($number)_Switchs\BR$($number)switch.txt" -smtpServer mail.domain.com
} #End function sendMail


#Clear-Host
$NumArray = (1..9)
ForEach ($number in $numArray ) {

Get-ChildItem -Path "C:\Program Files (x86)\CatTools3\Configs\Branch_0$($number)_Switchs\*.txt" -recurse | Select-String -Pattern Ethernet,maximum,sticky | Out-File -filepath "C:\Program Files (x86)\CatTools3\Configs\Branch_0$($number)_Switchs\BR0$($number)switch.txt"

sendMail
}

$NumArray = (10..11)
ForEach ($number in $numArray ) {

Get-ChildItem -Path "C:\Program Files (x86)\CatTools3\Configs\Branch_$($number)_Switchs\*.txt" -recurse | Select-String -Pattern Ethernet,maximum,sticky | Out-File -filepath "C:\Program Files (x86)\CatTools3\Configs\Branch_$($number)_Switchs\BR$($number)switch.txt"

sendMail2
}

Open in new window

0
 
LVL 26

Author Closing Comment

by:pony10us
Comment Utility
Ended up writing my own script in PS that accomplishes what I was after to a degree.

Thank you everyone.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

The worst thing when starting a new job is when the previous Network Administrator left behind no documentation. How do you get into the devices? If you've been in this situation or just accidently mistyped your password, this article will hopefully…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now