Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.
port security report
We have port security set on our Cisco switches. The problem is that we have all ports active with dummy MAC's assigned initially. This causes an alert when a rouge device is plugged in which is good. What isn't good is if we move a device from one port to another the old port doesn't get the dummy MAC assigned leaving it vulnerable to a rouge device. We would like to have something that can look at ports to:
1. check for ports with port-security not turned on
2. check for ports with port-security turned on but no, or not enough since we also have phones on some of the same ports, MAC's assigned to it.
3. send an email daily with the results of 1&2
Thank you
1. check for ports with port-security not turned on
2. check for ports with port-security turned on but no, or not enough since we also have phones on some of the same ports, MAC's assigned to it.
3. send an email daily with the results of 1&2
Thank you
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
LVL 26
I have added Powershell and Windows Batch to the catagories. I have all the configs in text files so could this be accomplished by reading the files and looking for missing information?
What isn't good is if we move a device from one port to another the old port doesn't get the dummy MAC assigned leaving it vulnerable to a rouge device.Just configure port not to forget address that was on port. Set switchport port-security mac-address sticky in combination with switchport port-security aging to not to forget MAC address (default behavior). After device is moved to another port you can still have MAC address of previous device assigned to that port.
2. check for ports with port-security turned on but no, or not enough since we also have phones on some of the same ports, MAC's assigned to it.That is job for network configuration manager (NCM).
3. send an email daily with the results of 1&2
But, anyway, looks like that better solution for your needs is to use RADIUS in your network.
If MAC address is not already in RADIUS it should not get access to network.
Okay, a little more background might be helpful. We use Kiwi CatTools to backup our configurations and also to report on changes. Audit and management don't feel that is sufficient and I tend to agree. It tells us of changes but is too time consuming to go through and discover ports with incorrect/missing port-security.
What we are looking for is a way to receive a daily email with that information.
This is what a typical port looks like when configured properly.
interface FastEthernet0/6
description Fa0/6
switchport mode access
switchport nonegotiate
switchport voice vlan 100
switchport port-security maximum 2
switchport port-security maximum 2 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0000.85bc.ad20 vlan access
switchport port-security mac-address sticky aaaa.0108.a006 vlan voice
Since there is no phone currently attached to this port the last line has a dummy MAC assigned.
No let's say the computer on this port is moved to another port on the same switch today. Since you can't have the same MAC on two ports the second to last line would be removed so that the computer will work on the new port. This can be done either by a third party switch port management tool we use or by someone actually accessing the switch remotely and putting in the "no" command. Either way it results in the configuration being changed to:
interface FastEthernet0/6
description Fa0/6
switchport mode access
switchport nonegotiate
switchport voice vlan 100
switchport port-security maximum 2
switchport port-security maximum 2 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky aaaa.0108.a006 vlan voice
This leaves the port vulnerable to someone connecting a rouge computer to the port and not tripping the port security. Ideally a dummy MAC would be assigned however that almost never gets done.
We have lots of moves daily so we are looking for a way to receive an email every day that lists the switch and port that either doesn't have port-security set or is missing one or more of the lines that have the MAC.
There are other ways to do this however this is what our audit and management have asked for. It should be easy enough to accomplish since we have all the configurations saved nightly in text files. If they were stored on a Linux box we could simply use GREP however they are stored on a windows box.
We do use RADIUS for any outside access to the network however we can't lock that down by MAC since some people use their own computers and may sometimes need to use a different computer altogether. We use MFA so it doesn't matter what machine they use.
What we are looking for is a way to receive a daily email with that information.
This is what a typical port looks like when configured properly.
interface FastEthernet0/6
description Fa0/6
switchport mode access
switchport nonegotiate
switchport voice vlan 100
switchport port-security maximum 2
switchport port-security maximum 2 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0000.85bc.ad20 vlan access
switchport port-security mac-address sticky aaaa.0108.a006 vlan voice
Since there is no phone currently attached to this port the last line has a dummy MAC assigned.
No let's say the computer on this port is moved to another port on the same switch today. Since you can't have the same MAC on two ports the second to last line would be removed so that the computer will work on the new port. This can be done either by a third party switch port management tool we use or by someone actually accessing the switch remotely and putting in the "no" command. Either way it results in the configuration being changed to:
interface FastEthernet0/6
description Fa0/6
switchport mode access
switchport nonegotiate
switchport voice vlan 100
switchport port-security maximum 2
switchport port-security maximum 2 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky aaaa.0108.a006 vlan voice
This leaves the port vulnerable to someone connecting a rouge computer to the port and not tripping the port security. Ideally a dummy MAC would be assigned however that almost never gets done.
We have lots of moves daily so we are looking for a way to receive an email every day that lists the switch and port that either doesn't have port-security set or is missing one or more of the lines that have the MAC.
There are other ways to do this however this is what our audit and management have asked for. It should be easy enough to accomplish since we have all the configurations saved nightly in text files. If they were stored on a Linux box we could simply use GREP however they are stored on a windows box.
We do use RADIUS for any outside access to the network however we can't lock that down by MAC since some people use their own computers and may sometimes need to use a different computer altogether. We use MFA so it doesn't matter what machine they use.
No let's say the computer on this port is moved to another port on the same switch today. Since you can't have the same MAC on two ports the second to last line would be removed so that the computer will work on the new port.Almost true, but you can have two ports configured with the same switchport port security MAC address. It is just MAC address that is allowed to use port, but not actual MAC address in CAM table.
So you don't have to use "no" command, previously assigned MAC addresses can stay on port without any risk (permits that host to use port, but not other hosts).. Try it, but it is basically the same as using the same dummy address everywhere.
We run a unicast environment which does not permit the same MAC on multiple ports on the same physical switch. When we try to move a machine from one port to another it tells us that it has found that MAC on another port and puts the new port into err-disabled.
It sounds like your needs are beyond what plain port security can do & you need to look at a NAC (network access control) solution. Software like OpenNAC or Cisco ISE can authenticate PC's based on certificates, and IP phones based on MAC OUI. Configuring NAC is a major project though, because of all the security settings that are needed to be in place.
Keep in mind that port security is an older security feature that dates back to the days of heavy desktop PC's that did not move around very often. It was not intended to handle devices that move around,or wireless devices. NAC is a complicated system to install and maintain, but it si the best option for current security needs.
Keep in mind that port security is an older security feature that dates back to the days of heavy desktop PC's that did not move around very often. It was not intended to handle devices that move around,or wireless devices. NAC is a complicated system to install and maintain, but it si the best option for current security needs.
When we try to move a machine from one port to another it tells us that it has found that MAC on another port and puts the new port into err-disabled.Yes, I totally forgot about that one, it is enough just to have MAC configured on port in the same VLAN.
A security violation occurs in either of these two situations:Learned MAC addresses can be easily removed from old port (not to wait MAC age timer) by issue clear mac address-table interface Gi x/y, but I totally forgot for the first part (bolded). I tested it with packet tracer just in case and in packet tracer everything is OK with that scenario - It does not reflect reality. :)
- When the maximum number of secure MAC addresses is reached on a secure port and the source MAC address of the ingress traffic differs from any of the identified secure MAC addresses
In this case, port security applies the configured violation mode.
- If traffic with a secure MAC address that is configured or learned on one secure port attempts to access another secure port in the same VLAN
@eeRoot
Thank you, I will look into Cisco ISE since we are run Cisco exclusively. However, I am not sure that it is really worth the effort due to our size.
@Predrag Jovic
Thank you, I have looked at several options but basically all I need is a daily email showing me what ports either don't have port security configured or don't have the proper, or any, MAC's assigned.
Since I have the configurations backed up nightly isn't there something similar to Linux's GREP that can be used to look at the configuration text files and create such a report? We are not looking to actually lock the network down any tighter. It is just that the examiners (audit) are complaining that we are not monitoring our exiting controls properly and therefore some holes have happened.
I hope that all makes sense.
Thank you, I will look into Cisco ISE since we are run Cisco exclusively. However, I am not sure that it is really worth the effort due to our size.
@Predrag Jovic
Thank you, I have looked at several options but basically all I need is a daily email showing me what ports either don't have port security configured or don't have the proper, or any, MAC's assigned.
Since I have the configurations backed up nightly isn't there something similar to Linux's GREP that can be used to look at the configuration text files and create such a report? We are not looking to actually lock the network down any tighter. It is just that the examiners (audit) are complaining that we are not monitoring our exiting controls properly and therefore some holes have happened.
I hope that all makes sense.
Well, that is typically job for NCM. One of options is compliance. You can create scripts to check configurations, run scripts during the night as you do and send reports afterwards. I don't know tools that already have templates for what you need, but for sure you can create scripts.
I guess that you can script what you need in Kiwi CatTools.
I guess that you can script what you need in Kiwi CatTools.
Thank you, third party software would probably be more elegant than what I came up with I did end up writing a PS script that sort of does what I am after. It lists the port security settings for all ports (interfaces) and we just have to read the report to locate ones that are not correct.
Here is the script:
Here is the script:
function sendMail()
{
$sendTo = "user@domain.com", "user2@domain.com" #Multiple valuses separated by coma
$sendFrom = "PowerShell_Report@domain.com"
$mailSubject = "PowerShell Port Security Report for Branch $($number)"
$mailBody = "Branch $(number) switch port security report" #$output
Send-MailMessage -Subject $mailSubject -From $sendFrom -To $sendTo -body $mailBody -Attachments "C:\Program Files (x86)\CatTools3\Configs\Branch_0$($number)_Switchs\BR0$($number)switch.txt" -smtpServer mail.domain.com
} #End function sendMail
function sendMail2()
{
$sendTo = "user@domain.com", "user2@domain.com" #Multiple valuses separated by coma
$sendFrom = "PowerShell_Report@domain.com"
$mailSubject = "PowerShell Port Security Reportfor Branch $($number)"
$mailBody = "Branch $($number) switch port security report" #$output
Send-MailMessage -Subject $mailSubject -From $sendFrom -To $sendTo -body $mailBody -Attachments "C:\Program Files (x86)\CatTools3\Configs\Branch_$($number)_Switchs\BR$($number)switch.txt" -smtpServer mail.domain.com
} #End function sendMail
#Clear-Host
$NumArray = (1..9)
ForEach ($number in $numArray ) {
Get-ChildItem -Path "C:\Program Files (x86)\CatTools3\Configs\Branch_0$($number)_Switchs\*.txt" -recurse | Select-String -Pattern Ethernet,maximum,sticky | Out-File -filepath "C:\Program Files (x86)\CatTools3\Configs\Branch_0$($number)_Switchs\BR0$($number)switch.txt"
sendMail
}
$NumArray = (10..11)
ForEach ($number in $numArray ) {
Get-ChildItem -Path "C:\Program Files (x86)\CatTools3\Configs\Branch_$($number)_Switchs\*.txt" -recurse | Select-String -Pattern Ethernet,maximum,sticky | Out-File -filepath "C:\Program Files (x86)\CatTools3\Configs\Branch_$($number)_Switchs\BR$($number)switch.txt"
sendMail2
}
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
Ended up writing my own script in PS that accomplishes what I was after to a degree.
Thank you everyone.
Thank you everyone.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco
From novice to tech pro — start learning today.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.