Preventing unathorized devices from connecting to cisco switch

Leave a Comment / Business Security, Cisco configurations, Uncategorised / By /

Hello all,

In this post I want to cover ways to mitigate against unauthorized devices connecting to a switch
for instance in a public library or a internet cafe where the access switch can be access by the public

just to set the stage for this example there is a internet cafe called bobs internet cafe bob has 1 single 24 port Cisco 2950 switch that provides lan access for all of his desktop pc’s not all ports are in use and each pc is provided an ip address via dhcp if no protection is in use if Mr hacker comes into bobs cafe with a laptop and Ethernet cable and plugs into bobs switch and now  Mr hacker can now use his own laptop on bobs network to wreck all kinds of havoc lets dig in and ruin Mr hackers day

Here is the layout of bobs network

Screenshot from 2012-12-28 18:13:19

As we can see this is a simple enough network but there are many security concerns that bob needs to take into account example bob is only using 8 out of the switches 24 ports which leave 16 ports that are an attack vector lets secure these ports

First thing we will do is enable Cisco port security on all ports and then we will lock-down all ports that are not in use and for the ports that are in use we will lock-down deny any mac address that is not the mac address of bobs pc’s on his network

Lets begin

First determine what ports are in use

Switch#sh ip int bri
Interface              IP-Address      OK? Method Status                Protocol

FastEthernet0/1        unassigned      YES manual up                    up

FastEthernet0/2        unassigned      YES manual up                    up

FastEthernet0/3        unassigned      YES manual up                    up

FastEthernet0/4        unassigned      YES manual  up                up

FastEthernet0/5        unassigned      YES manual up                    up

FastEthernet0/6        unassigned      YES manual up                    up

FastEthernet0/7        unassigned      YES manual up                    up

FastEthernet0/8        unassigned      YES manual up                    up

 

Now we can see we are using ports 1-8 so lets lock down port 9-24

CODE
_____

Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int ra
Switch(config)#int range f0/9-24
Switch(config-if-range)#shut
______

you will see an output from the switch like this

%LINK-5-CHANGED: Interface FastEthernet0/9, changed state to administratively down

%LINK-5-CHANGED: Interface FastEthernet0/10, changed state to administratively down

Now Lets disallow any mac addresses that are not on the pc’s that bob owns

Code
____

Switch(config-if-range)#switchport port-security mac-address sticky
Switch(config-if-range)#

______

the above command will assign the mac addresses that are currently assigned to each interface to be the only mac address allowed to connect to the interface

Now make all ports static access instead of dynamic access ports

code

__

Switch(config-if-range)#switchport mode access
Switch(config-if-range)#

__

Now we will configure the interfaces so that if someone does put another device in the port the port will auto shutdown or go into what is called error disable mode

code

__

The below code disables the port if a different mac address is detected on the interface

Switch(config-if-range)#switchport port-security violation shutdown
Switch(config-if-range)#

Switch(config-if-range)#switchport port-security maximum 1
Switch(config-if-range)#

lets look at what our config looks like now

Switch#sh run
Building configuration…

Current configuration : 3095 bytes
!
version 12.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Switch
!
!
!
interface FastEthernet0/1
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0001.6364.A202
!
interface FastEthernet0/2
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0005.5ED2.059

We can now see the only mac address is is allowed to be connected to f0/2 is 0005.5ED2.059

lets see what happens if another device with a different mac address is used to connect to this port

Switch#sh int f0/2
FastEthernet0/2 is down, line protocol is down (err-disabled)
Hardware is Lance, address is 0090.0cd8.0302 (bia 0090.0cd8.0302)
BW 100000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set

We can see that the port has auto shutdown because the disallowed mac address is connected to the port  now mr hacker gets no ip 🙁

In this Post i covered how we can restrict access to physical ports on cisco switches that can be access by the public this can also apply to networks such as a voip network where only phones are supposed to be attached to the switch you would follow the above steps to accomplish this

if you have any questions,comments,suggestions

please leave them !

 

Till then stay secure !

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.