Network administrators should also be concerned about the security of switches under their care. Learn about physical security for network switches, the use of VLANs for switched network security and the use of port security techniques.
- [Narrator] Network administrators should also be concerned about the security of switches under their care. One of the most important security tasks surrounding switches is maintaining physical security of the device. Unlike routers, which are normally centrally located in secure data centers, or network rooms switches are generally spread all over the place. Providing connectivity at the edge of the network in every building and floor throughout an organizations physical facilities. From a security perspective this can be a nightmare.
Because it's critical just to keep those switches locked away, where nobody can physically access them without authorization. The reason for this is simple. If someone gains physical access to your switch they can take physical control of that portion of the network. Earlier in the course you learned how virtual LANs or VLANs may be used to increase the security of networks by isolating unrelated systems and users from each other. Switch administrators should implement some common practices to ensure the secure implementation of VLANs.
First, VLAN Pruning is a good practice. You might recall that switches use a technology known as VLAN Trunking to carry VLANs across the many switches that make up a network. This allows any switch port on the network to join any VLAN trunked to that switch. A best practice for network security is to implement the least privilege rule and only trunk VLANs to switches if the VLAN is needed on that switch. This requires a little more work on the part of network administrators but it also reduces the risk of a compromised switch.
For example, if you have a VLAN for the sales department and the sales department is contained entirely within a single building you should only trunk the sales VLAN within that building and not into other buildings. Second, malicious users may attempt an attack known as VLAN Hopping to switch from their authorized VLAN to one containing resources that they would like to attack. Attackers might do this through a variety of means but most of these techniques rely upon pretending to be a switch and asking the switch to trunk VLANs to the malicious users device.
The countermeasures for this attack vary from device to device but generally speaking, you should configure your switches to deny automatic VLAN trunk negotiation. And only trunk VLANs when they're explicitly authorized by a network administrator. Finally, network administrators may wish to implement a technology known as Port Security. This protects against attackers disconnecting an authorized device from the wired network and replacing it with a rogue device that may eavesdrop on other users or attempt to access secure network resources.
Port Security works by limiting the MAC addresses that may be used on a particular switch port and requiring administrator intervention to change out a device. Port Security works in two modes. In static mode, the administrator manually configures each switch port with the allowable MAC addresses for that port. This is very time-consuming but it is the most secure way to implement port security. In dynamic, or sticky mode, the administrator enables port security and then tells the switch to memorize the first MAC address that it sees on any given port and then restrict access to that MAC address.
This makes configuration much faster but it can be risky if you have unused but active switch ports. Following these simple security practices can help the security of your network switching infrastructure immensely.
Learn about communication and networking best practices, including TCP/IP networking, network security devices, and secure network design and management. Instructor and cybersecurity expert Mike Chapple also includes coverage of converged protocols, network encryption, and wireless networking. You can find Mike's companion study books for this series at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
- IP addressing
- Switches and routers
- Content distribution networks
- Designing secure networks
- Specialized networking
- Managing secure networks
- Working with virtualized networks like SDNs
- Detecting and preventing network attaches
- Transport encryption
- Wireless networking
- Host security