Sunday, 2 November 2008

Physical Security

Following on from the last posting we are going to talk about security, first physical security… now most of you think keys and locked rooms when someone says physical security or worse yet mace spray.

Sadly I’m not talking about your personal security, although you should take some steps there as well to secure it.

We are in fact talking about the access to servers and consequently your information, the majority of you will have taken some steps to lock your servers and switches away to prevent Joe public from touching them, but will this be enough to stop the experienced data theft?

Truthfully no as you have locked away the hardware but not what its connected too. As long as there RJ45 port comes out into the office somewhere any device can be connected to it.

So today we are going to talk about using 802.1x to stop unauthenticated PC’s being connected first of all, and move on to port security for the second part to reduce the chance of a (MITM) Man In The Middle attack.

To begin with you’ll need to setup IAS on your server and put the IP address of the switch and the passkey you intend to use for the switch and IAS service to authenticate with one another on, we will assume you have done this already. If you need help on this you can goto http://technet.microsoft.com/en-us/network/bb643123.aspx where you will find how to configure the IAS service.

In today’s example we’ll be using a Cisco switch 12.2 IOS using 802.1x
802.1x requires a device to authenticate itself with the switch before the switch will forward any packets to or from the device. This is an important first step for good network security.

aaa new-model
aaa authentication login default group radius
aaa authentication dot1x default group radius
dot1x system-auth-control
radius-server host 192.168.0.44 auth-port 1812 acct-port 1813 key IASPaSSwOrd123

Now that the global setting is in place you’ll need to apply it to the interfaces, see below how I’ve configured interface 0/1 to use the server authentication.


interface FastEthernet0/1
switchport mode access
switchport port-security
switchport port-security maximum 3
dot1x port-control auto
spanning-tree portfast
spanning-tree bpduguard enable
speed auto

Now that we have set authentication on the port we can look at some other things we can do to improve the security still further.
With port security enable it causes the switch to learn the MAC address of the device plugged into the port. If the MAC address changes (e,g. someone plugs in a foreign machine) the switch shuts the port down

interface FastEthernet0/3
switchport mode access
switchport port-security
switchport port-security
dot1x port-control auto
spanning-tree portfast
spanning-tree bpduguard enable
speed auto

Now this is good but might not be the best way you might have decided to have more than one PC so you can allow the switch to learn more than one MAC address by changing the setting, in this case I’ve chosen for it to remember three MAC addresses.

interface FastEthernet0/1
switchport mode access
switchport port-security
switchport port-security maximum 3
dot1x port-control auto
spanning-tree portfast
spanning-tree bpduguard enable
speed auto

Another alternative if you don’t want to be manually turning the ports back on every time you change a bit of hardware is you can set a time out where the port will re-enable its self after a given time, this time is counted in minutes so as an example 600 minutes equals 10 hours .
Here is an example of port 5/1 re-enabling after 10 hours of shutdown.

set port security 5/1 shutdown 600
note this is set at a global level not at interface level.

This automatic re-enabling of the ports is good for preventing you from losing all the ports on the switch because of some re-cabling or some user plugging and unplugging some un-permitted device into the switch, but it defeats the point if the time-out is too low so try to keep it around the 8 hour or high mark as this means that a user that done something wrong will have to report it and a data theft will have only one chance a day to try and connect forcing him or her to wait hours or place a high profile call to helpdesk to get it re-enabled.

No comments: