Physical Port Security – CompTIA Security+ SY0-401: 3.6

Physical access to a network can be a significant security concern. In this video, you’ll learn how to protect your physical network interfaces using configuration settings and access control software.

<< Previous Video: Operating System HardeningNext: Security Posture >>

As security professionals, we spend a lot of time putting a lot of security on the border between the outside of our network and the inside of our network. But generally, we don’t spend a lot of time securing everything on the inside. We have a lot of firewalls and intrusion prevention systems that are locking people out from getting inside. But we don’t spend a lot of that money putting up those types of systems on the inside of our network.

The ports that are inside of our network therefore are generally wide open. We’ve got copper interfaces. We’ve got fiber interfaces. And of course, now we have wireless networks available. And so it’s important that we secure also those physical ports that are inside of our network, just as securely as we secure the outside of our network. It’s a constant balancing act to provide the right level of security on the inside of our network.

We want to prevent people from simply plugging into the network anywhere and gaining access to resources, but we also want to make the network accessible to everybody. There’s a conference room. We want people to be able to plug in and perform their business function. We just want to keep out the bad guys from doing exactly the same thing.

One way to filter out the types of systems that can plug into your network is through something called MAC filtering. The stands for Media Access Control, and it’s referring to the MAC address that is burned into the network cards that are inside of all of our computers. This would allow you to take an internal computer and connect it into that conference room. But if somebody brought their computer from outside of your network and tried to plug it in, that system would not have any access to your network.

This requires a little bit of work on the administration side. You have to collect all of the MAC addresses of all of your devices and you have to create a way to filter those out on every port that’s inside of your network. One of the challenges with MAC address filtering is that these MAC addresses can often be spoofed. A lot of the software that we use as drivers for these cards allow us to put in our own MAC address.

And if we happen to know what a legitimate Mac address is, we can simply duplicate that MAC and now we have the same access that all of your computers have inside of your network. Many organizations will associate the access to the network with the authentication that you must provide. This is using a functionality called 802.1x, where your machine must first authenticate to a central authentication server. And only after that authentication has happened do you gain access to the network.

If anybody comes from the outside and simply plugs in, they won’t have any access until they provide the correct username and password. Another good best practice is to administratively disable any switch ports that might not have anything directly connected. That way, you can be assured that nobody can walk into your closet, plug in from inside the infrastructure room, and then gain access to the network.

This also requires some additional administration, because you need to go through and make sure you know what ports are not physically in use and disable those. And then when you want those ports to be available, you obviously have to go back into your switch and administratively enable those ports so that they’ll operate properly on your network. It’s also a good idea to then do some periodic checks and make sure that nobody is using any ports they shouldn’t be.

And if you’ve documented this switch configuration and you know what devices should be plugged in where, it should be very easy then to look at your switch and see very quickly what devices may be plugged into ports that should not be in use. It may be very easy to find these unauthorized devices on a wired network.

But on a wireless network, it becomes a lot harder to find these rogue devices. You want to be able to perform audits and to be able to physically check your switches and to look at the lists of who might be connected to your wireless network. It’s not uncommon to use network mapping software to be able to find everybody who might be connected to a network.

And then you can compare that list to who might be actually authorized to be on the network. It’s also common to grab a spectrum analyzer, especially the portable ones you might use these days, and simply walk around your building to make sure that nobody has plugged in an access point that they brought from home, creating obviously a significant security concern on the wireless side.

And network access control can obviously provide you with a very secure method of authenticating people onto the network and only allowing the people who are authorized to gain access to your corporate resources.