Networking, Iris Scenarios: Port Security - Restricting Port Access to Specific MAC Addresses

• The Automatic option will collect MAC addresses in the order that machines are connected to the port. If you indicate that three machines are permitted, and then a fourth is connected, the fourth will be treated as an intruder unless you increase the number of MAC addresses that can be accepted.
  
  Note: It may take a minute or so for a computer's MAC address to be detected if it is not actively communicating over the network at the time. To speed up the detection, have your computers perform network activity such as pinging while you're working with Automatic detection in Iris.

• The Manual option will treat any computer as an intruder until you manually enter its MAC address into the accepted list.
   
• Automatic to manual saves MAC addresses: Any MAC addresses collected during Automatic detection will be preserved when port security is changed to Manual. You can use the Automatic setting to detect a lot of MAC addresses at once (for example, if you have a lab full of computers) and then switch the setting to Manual to prevent any additional computers from being accepted.
   
• A change in the number of automatic MAC addresses detected will clear all MAC addresses: If you have the detection mode set to Automatic and change the number of MAC addresses allowed, Iris removes all of the currently existing MAC addresses and re-scans the MAC addresses of any computers which are currently attached to the port.
  
  However, if you have the detection mode set to Manual when you change the number of MAC addresses, Iris keeps the existing MAC addresses and waits for you to enter new MAC addresses.
  
  If you want to change all of the MAC addresses associated with a port, set the detection mode on Automatic. If you want to keep existing MAC addresses and add a couple more individually, set the detection mode on Manual.
   
• Storing MAC addresses: Once a MAC address is learned, it is retained until either (a) the number of ports is changed, (b) the address is specifically removed from the port, or (c) Port Security is disabled. If the switch is rebooted, the learned MAC addresses will still be assigned to the port when the switch comes back online.

After you've chosen Automatic or Manual MAC entry, the Port Security options interface looks approximately like this:

The top text field shows any entered MAC addresses and any available information about the manufacturer of the network card.

The text field is automatically sized to contain the permitted number of MAC addresses. (Note: In the case above, since 3 MAC addresses can be learned and only 2 have been entered, the text box leaves a blank line at the bottom. If you set a port to accept 8 MAC addresses but only 1 MAC has been entered, you'll have a large text box with a lot of white space. This is normal.)

The items on the line immediately below the text box control the handling of any unapproved MAC addresses.

• Filter - This setting allows data from the approved MAC addresses to pass through, but filters out any data from unapproved MAC addresses. In other words, someone who plugs an unapproved laptop into a mini-switch attached to the port will not have networking capability; but the approved computer will continue to work.
   
• Disable - This setting automatically turns the port off when an unapproved MAC address is detected. This means that neither the intruder nor the approved computer will be allowed to access the network through this port until the unapproved computer is removed and you re-enable the port.

The State part of the line indicates whether an intrusion has been detected and gives options to respond.

In the screen shot above, no intruding MAC addresses have been detected, so the state is shown as Normal.

When the action is set to Filter and an intruding MAC address is detected:

1. The intruding computer's data is blocked, but data sent by computers with MAC addresses on the accepted list are still forwarded correctly.
    
2. (On an HP switch:) The state changes to Intrusion, and a Reset button is added.
   (On a Cisco or Foundry switch, the state indicator doesn't change, but data is still filtered as described in step 1.)

When the action is set to Disable and an intruding MAC address is detected:

• 1. The port is automatically disabled, and will need to be re-enabled. (Both the intruding computer and any legitimately recognized computers are blocked.)
      
  2. The state is changed to Shutdown, and the Reset button is added.

Making any changes to the port security configuration in Iris will re-enable the port and check the current port traffic against the new port security definition.

In order to be able to return a port to normal functioning after an intrusion detection, any intruding computer(s) should be removed from the port and any permitted computer(s) should remain in place.

You should only use Iris to reset port security after the computer(s) have been adequately repositioned.

This is for two reasons:

1) Iris can re-detect an intrusion quickly enough that you may not be able to perceive a desired reset or re-enabling.

If you click "Enable" or "Reset" on a port that has the Intrusion notice, and the intruding computer is still present, Iris may re-detect the intruding computer and renew the Intrusion alert immediately. You may not be able to see the re-enabling since it is immediately followed by re-disabling.

To avoid this, make sure the unexpected computer is either removed from the network or given permission to access the network before resetting the port security status in Iris.

2) On Cisco switches, the permitted computer must be allowed to communicate or else Iris won't receive an acknowledgement that the situation has been corrected.

Because of the way Cisco switches report error conditions, a port is viewed as disabled until new communication has successfully taken place, even though the port itself has been re-enabled.

The items on the second line below the text box deal with controlling MAC addresses.

If you have chosen Automatic MAC recognition, the first item will be the Learn menu with a list of numbers up to 8. This is where you designate the number of MAC addresses permitted on this port.

If you have chosen Manual MAC entry, the first item will be a text field followed by an Add button. You can enter MAC addresses manually here and click Add to place them on the accepted list.

After the Learn or Add items, the last two buttons are Del and Clear All. Del is used to remove a specific selection of MAC addresses from the port's list, and Clear All is used to both remove all MAC addresses from the port's list and reset any state changes related to intrusion detection.

If you have a departmental wireless access point connected to a Port Security-eligible port, you'll probably want to disable the port security features for that port. Wireless locations can have many computers legitimately using the connection, and you probably won't want a support call after every eighth visitor.

If you have several students, staff, or faculty members sharing a common office and they may move from jack to jack around the room, you can set Iris to automatically accept MAC addresses for the number of computers that they have among them.

After a certain amount of use, you can collect the MAC addresses that have been used in that room, switch to Manual, and make sure that all of the addresses are listed for all the ports in the room, even if a computer hasn't moved there yet.

Filtering allows you to ensure that only the permitted computers will have access to the room's network capabilities, without automatically disabling ports every time a visitor tries to plug in a laptop.

If you have dozens of computers in a lab and don't wish to type them all in manually, you can boot the computers, set each port to automatically accept the MAC address of the lab computer plugged into that port, and wait about 5-10 minutes to make sure that all of the computers have been detected.

The Disable setting will turn off the network for any computer connected to that port when the approved computer is unplugged and another computer is plugged in to that port. If anyone changes which computers are plugged into which ports or attempts to plug their own computer in, the affected port will be disabled for all computers -- even one that's returned to its correct port -- until you either correct the cabling or reassign MAC addresses and reset the port.

If you'd rather let approved computers keep working once they are reconnected to the right port, and prefer to block only intruders or computers that remain connected to the wrong port, use the Filter setting.