Port security and NAC

Port Security Configuration Changes

Port security means blocking unauthorized application service ports on devices and firewalls, as well as securing the physical and remote access ports that let a device communicate on the local network.

Network Appliance Security

Compromising network devices like switches, routers, and firewalls can allow an attacker to gather information and spread their attack throughout the network.

These devices can also be targets of Denial of Service (DoS) attacks. Just like servers, network appliances can have software vulnerabilities that need regular updates and patches.

To secure these devices:

1. Stay Updated: Make sure the device vendor regularly provides reports on vulnerabilities and patches to keep the software up to date. Many problems come from using outdated software.

2. Secure Access: Ensure that access to the management features of these devices is secure. They often have web interfaces that can have vulnerabilities, like cross-site scripting attacks.

3. Use Secure Connections: It’s usually safer to manage these devices through secure command-line interfaces (SSH) rather than web browsers.

4. Limit Internet Access: If possible, restrict the management stations that configure these devices from accessing the Internet. This reduces the risk of getting compromised through web browser security flaws.

By following these steps, you can help protect your network appliances from potential attacks.

Physical Port Security and MAC Filtering

When firewall, proxy, and IDS logs indicate that unauthorized devices are connecting to the network, it’s essential to review port security methods. Network access can be controlled using physical port security, MAC filtering, or a Network Access Control (NAC) solution.

For wired ports:

1. Secure Access: Limit access to physical switch ports and hardware to authorized personnel only. This can be done by using secure server rooms or lockable cabinets for hardware.

2. Disable Ports: To prevent unauthorized devices from connecting, you can disable switch ports through management software or physically remove the patch cable from the port. However, this approach can create administrative challenges and is prone to errors.

3. Incomplete Protection: Simply disabling ports does not provide complete security. An attacker could unplug a device from an enabled port and connect their own unauthorized device.

To enhance security, more advanced methods have been developed, as traditional approaches may not be sufficient to fully protect the network.

MAC Filtering

MAC filtering is a method used to control which devices can connect to a specific switch port by specifying the allowed MAC addresses. Here’s how it works:

1. Static Method: You can create a list of valid MAC addresses that are permitted to connect. However, this method can be hard to maintain and is prone to errors as devices are added or removed from the network.

2. Dynamic Learning: Some switch models offer a more flexible approach by allowing you to set a limit on the number of allowed MAC addresses. For example, if port security is set to allow a maximum of two MAC addresses, the switch will remember the first two devices that connect to that port. Any other devices trying to connect will have their traffic dropped, effectively preventing unauthorized access.

This way, MAC filtering helps improve security by ensuring that only known devices can access the network through specific switch ports.

physical and logical ports. It prevents unauthorized devices from connecting to the network, mitigating risks such as data breaches and attacks.

Physical Port Security: This involves restricting physical access to network hardware and ports. Measures include securing switch ports, disabling unused ports, and ensuring only authorized personnel can access networking equipment.

While effective, physical security should be complemented by additional methods to safeguard against potential attacks.

MAC Filtering: MAC filtering enhances security by specifying which devices can connect to a switch port based on their MAC addresses. While it offers a layer of protection, maintaining an accurate list of allowed MAC addresses can be challenging.

Dynamic learning capabilities can simplify management but still require oversight to ensure that the security posture remains robust.

In summary, a comprehensive approach to port security that combines physical security, MAC filtering, and ongoing monitoring is vital for safeguarding network environments against unauthorized access and potential threats.

Network Access Control (NAC) Configuration Changes

If security monitoring finds serious threats from unauthorized devices on the network, just using physical port security and MAC filtering might not be enough. Network Access Control (NAC) is a solution that helps verify who is using the network and checks if their devices are secure before allowing them to connect.

This means that NAC can better protect the network by ensuring only trusted users and devices can access it.

IEEE 802.1X Port-based NAC (PNAC)

The IEEE 802.1X standard outlines a method called port-based Network Access Control (PNAC). This means that when a device wants to connect to the network, the network device (like a switch or router) first asks for authentication before opening the port for access.

Here’s how it works:

• The device trying to connect is called the supplicant.

• The network device that requests the authentication is known as the authenticator.

• The authenticator uses a protocol called EAPoL (Extensible Authentication Protocol over LAN) to communicate with the supplicant and wait for it to provide its authentication details.

• The authenticator sends these details to an authenticating server, which checks whether they are correct.

• If the credentials are valid, the server grants access, and the network device sets up the port to allow normal network traffic by assigning the correct VLAN and subnet to the connection.

This process helps ensure that only authorized devices can access the network.

NAC Policies and Admission Control

While 802.1X focuses on authenticating devices trying to connect to the network, a more comprehensive Network Access Control (NAC) solution allows administrators to create policies that define the minimum security standards devices must meet to gain access. These policies are known as health policies.

Typical health policies check for the following:

• Malware infection: Ensuring that the device is not infected with any malicious software.

• Firmware and OS patch levels: Checking if the device’s operating system and firmware are up-to-date with the latest security patches.

• Host firewall/IDS status: Verifying that the device’s firewall or Intrusion Detection System (IDS) is active and functioning.

• Up-to-date virus definitions: Making sure the device has the latest virus definitions for its antivirus software.

Additionally, a NAC solution may be able to:

• Scan the Registry: Checking system settings and configurations.

• Perform file signature verification: Ensuring that critical files are intact and have not been tampered with.

These health policies help ensure that only devices meeting specific security standards can connect to the network, enhancing overall security.

Key Features of NAC Solutions

1. Posture Assessment:This feature involves evaluating the endpoint device to ensure it complies with the health policy. Information can be collected from the device in two ways:

• Agent Installation: Installing software on the device that provides compliance information.

• Polling: Regularly checking the device for compliance without needing an installed agent.

2. Remediation:This is what happens when a device does not meet the security profile. Options include:

• Refusing Connection: The device may be completely denied access to the network.

• Captive Portal: The device is placed in a restricted access area where it cannot connect to the general network. In this state, the user may be prompted to install required updates or security patches.

3. Pre- and Post-Admission Control:

• Pre-Admission Control: Most NAC solutions require that devices meet the health policy before they can connect to the network.

• Post-Admission Control: This involves regularly checking devices after they have been granted access to ensure they continue to meet compliance standards. Some NAC solutions may focus only on post-admission control, while others may implement both pre- and post-admission controls.

These features work together to enhance network security by ensuring that only compliant devices can connect and remain connected.

Types of Policies in Network Access Control (NAC)

NAC solutions can support various policies and criteria for granting or denying network access. Here are some of the key types:

1. Time-based Policies:

• Access Periods: These policies define specific times when hosts can access the network.

• Usage Windows: For example, access can be limited to certain hours, preventing users from connecting outside those times.

• Concurrent Log-ons: Some solutions allow users to connect multiple devices (like a PC and smartphone) simultaneously, while blocking any additional devices.

2. Location-based Policies:

• Geographic Location: These policies evaluate where the endpoint requesting access is located, using services that can pinpoint the device’s location.

• IP Reputation: Access can be blocked based on IP addresses or subnets that are known to be suspicious.

• Internal Network Monitoring: This policy helps prevent access attempts that aim to bypass firewalls within different parts of the internal network.

3. Role-based Policies:

• Adaptive Access: NAC re-evaluates authorization based on what the device is trying to do.

• Specific Functions: For example, if a device tries to access a subnet meant for server management, it checks whether the user account or device is authorized for that role. If not, NAC may shut down access or issue an alert.

4. Rule-based Policies:

• Logical Statements: These complex policies enforce a series of rules defined as logical statements (e.g., IF condition A AND condition B THEN grant access). This approach allows for flexible and granular access control.

These diverse policy types help organizations tailor their network access controls to better fit their specific security needs and operational requirements.