Networking, Iris Scenarios: Port Security - Restricting Port Access to Specific MAC Addresses
Introduction
On Technology Services-managed campus switches, you can choose to restrict access to a port based on the MAC address of the computer or device that plugs into the port.
In order to tell whether or not your switch is eligible, select the switch and click the Port Security tab.
If your switch is not eligible for port-level MAC address control, the Port Security Config field will say Port Security Inappropriate.
If a switch will accept port security settings, you'll have a menu box available in the Port Sec column for each eligible port.
- When Port Security is set to Off, no additional options will be shown for that port.
- When Port Security is set to Automatic or Manual, you can provide additional security controls for that port.
Known issues in version 5.3
In Iris version 5.3, port security has been expanded to include all three major manufacturers of switches on the campus network: Cisco, Foundry, and HP.
However, there are some known issues with the way that Cisco and Foundry switches report information to Iris, and therefore with the way that Iris reports changes in port security on those systems.
Port Security options
You can permit a selected number of MAC addresses (up to 8) when Port Security is enabled.
When you first enable Port Security for a port by changing the setting from "Off" to either "Automatic" or "Manual" MAC collection, if an unapproved MAC address is found, the default behavior is to filter the unapproved MAC addresses rather than to disable the port entirely.
Since port security settings take immediate effect, it's better to stay with the default of filtering computers until you have the list of approved MAC addresses entered. Otherwise, if you change the behavior from the "filter" default to "shutdown", the presence of any computer plugged into a Manual port would immediately disable the port since no MAC addresses would be listed as approved. (More information about the interaction of the various settings is presented later.)
Automatic of Manual MAC address collection options
- The Automatic option will collect MAC addresses
in the order that machines are connected to the port. If you indicate
that three machines are permitted, and then a fourth is connected, the
fourth will be treated as an intruder unless you increase the number of
MAC addresses that can be accepted.
Note: It may take a minute or so for a computer's MAC address to be detected if it is not actively communicating over the network at the time. To speed up the detection, have your computers perform network activity such as pinging while you're working with Automatic detection in Iris.
- The Manual option will treat any computer as an intruder until you manually enter its MAC address into the accepted list.
- Automatic to manual saves MAC addresses: Any MAC
addresses collected during Automatic detection will be preserved when
port security is changed to Manual. You can use the Automatic setting to
detect a lot of MAC addresses at once (for example, if you have a lab
full of computers) and then switch the setting to Manual to prevent any
additional computers from being accepted.
- A change in the number of automatic MAC addresses detected will clear all MAC addresses:
If you have the detection mode set to Automatic and change the number
of MAC addresses allowed, Iris removes all of the currently existing MAC
addresses and re-scans the MAC addresses of any computers which are
currently attached to the port.
However, if you have the detection mode set to Manual when you change the number of MAC addresses, Iris keeps the existing MAC addresses and waits for you to enter new MAC addresses.
If you want to change all of the MAC addresses associated with a port, set the detection mode on Automatic. If you want to keep existing MAC addresses and add a couple more individually, set the detection mode on Manual.
- Storing MAC addresses: Once a MAC address is learned, it is retained until either (a) the number of ports is changed, (b) the address is specifically removed from the port, or (c) Port Security is disabled. If the switch is rebooted, the learned MAC addresses will still be assigned to the port when the switch comes back online.
After you've chosen Automatic or Manual MAC entry, the Port Security options interface looks approximately like this:
The top text field shows any entered MAC addresses and any available information about the manufacturer of the network card.
The text field is automatically sized to contain the permitted number of MAC addresses. (Note: In the case above, since 3 MAC addresses can be learned and only 2 have been entered, the text box leaves a blank line at the bottom. If you set a port to accept 8 MAC addresses but only 1 MAC has been entered, you'll have a large text box with a lot of white space. This is normal.)
The items on the line immediately below the text box control the handling of any unapproved MAC addresses.
- Filter - This setting allows data from the
approved MAC addresses to pass through, but filters out any data from
unapproved MAC addresses. In other words, someone who plugs an
unapproved laptop into a mini-switch attached to the port will not have
networking capability; but the approved computer will continue to work.
- Disable - This setting automatically turns the port off when an unapproved MAC address is detected. This means that neither the intruder nor the approved computer will be allowed to access the network through this port until the unapproved computer is removed and you re-enable the port.
The State part of the line indicates whether an intrusion has been detected and gives options to respond.
In the screen shot above, no intruding MAC addresses have been detected, so the state is shown as Normal.
When the action is set to Filter and an intruding MAC address is detected:
- The intruding computer's data is blocked, but data sent by
computers with MAC addresses on the accepted list are still forwarded
correctly.
- (On an HP switch:) The state changes to Intrusion, and a Reset button is added.
(On a Cisco or Foundry switch, the state indicator doesn't change, but data is still filtered as described in step 1.)
When the action is set to Disable and an intruding MAC address is detected:
-
- The port is automatically disabled, and will need to be
re-enabled. (Both the intruding computer and any legitimately recognized
computers are blocked.)
- The state is changed to Shutdown, and the Reset button is added.
- The port is automatically disabled, and will need to be
re-enabled. (Both the intruding computer and any legitimately recognized
computers are blocked.)
Making any changes to the port security configuration in Iris will re-enable the port and check the current port traffic against the new port security definition.
Resetting a port after an intrusion is detected
In order to be able to return a port to normal functioning after an intrusion detection, any intruding computer(s) should be removed from the port and any permitted computer(s) should remain in place.
You should only use Iris to reset port security after the computer(s) have been adequately repositioned.
This is for two reasons:
1) Iris can re-detect an intrusion quickly enough that you may not be able to perceive a desired reset or re-enabling.
If you click "Enable" or "Reset" on a port that has the Intrusion notice, and the intruding computer is still present, Iris may re-detect the intruding computer and renew the Intrusion alert immediately. You may not be able to see the re-enabling since it is immediately followed by re-disabling.
To avoid this, make sure the unexpected computer is either removed from the network or given permission to access the network before resetting the port security status in Iris.
2) On Cisco switches, the permitted computer must be allowed to communicate or else Iris won't receive an acknowledgement that the situation has been corrected.
Because of the way Cisco switches report error conditions, a port
is viewed as disabled until new communication has successfully taken
place, even though the port itself has been re-enabled.
The items on the second line below the text box deal with controlling MAC addresses.
If you have chosen Automatic MAC recognition, the first item will be the Learn menu with a list of numbers up to 8. This is where you designate the number of MAC addresses permitted on this port.
If you have chosen Manual MAC entry, the first item will be a text field followed by an Add button. You can enter MAC addresses manually here and click Add to place them on the accepted list.
After the Learn or Add items, the last two buttons are Del and Clear All. Del is used to remove a specific selection of MAC addresses from the port's list, and Clear All is used to both remove all MAC addresses from the port's list and reset any state changes related to intrusion detection.
Recommendations for common situations
There are some "recipes" you can use for managing certain types of situations through Iris's port security features.
Departmental Wireless port: Port security off
If you have a departmental wireless access point connected to a Port Security-eligible port, you'll probably want to disable the port security features for that port. Wireless locations can have many computers legitimately using the connection, and you probably won't want a support call after every eighth visitor.
Shared office: Automatic followed by Manual, then filtering
If you have several students, staff, or faculty members sharing a common office and they may move from jack to jack around the room, you can set Iris to automatically accept MAC addresses for the number of computers that they have among them.
After a certain amount of use, you can collect the MAC addresses that have been used in that room, switch to Manual, and make sure that all of the addresses are listed for all the ports in the room, even if a computer hasn't moved there yet.
Filtering allows you to ensure that only the permitted computers will have access to the room's network capabilities, without automatically disabling ports every time a visitor tries to plug in a laptop.
Computer lab: Automatic then your choice of filtering or disabling
If you have dozens of computers in a lab and don't wish to type them all in manually, you can boot the computers, set each port to automatically accept the MAC address of the lab computer plugged into that port, and wait about 5-10 minutes to make sure that all of the computers have been detected.
The Disable setting will turn off the network for any computer connected to that port when the approved computer is unplugged and another computer is plugged in to that port. If anyone changes which computers are plugged into which ports or attempts to plug their own computer in, the affected port will be disabled for all computers -- even one that's returned to its correct port -- until you either correct the cabling or reassign MAC addresses and reset the port.
If you'd rather let approved computers keep working once they are reconnected to the right port, and prefer to block only intruders or computers that remain connected to the wrong port, use the Filter setting.