[c-nsp] Alternatives for port-security in a L2 host redundancy environment

Peter Rathlev peter at rathlev.dk
Thu Apr 28 13:48:52 EDT 2011


On Thu, 2011-04-28 at 12:59 -0400, Christopher Pilkington wrote:
> Has anyone else run into this and found an alternate solution to
> port-security?  Basically we want to defend against two things: 1.
> someone unplugging the firewall and utilizing its switchport for other
> purposes (which is game over anyway, since that implies physical
> access to cage)

Yeah, anyone who can do that can also trivially find out what MAC
address the firewall uses and use it themselves. MAC based port-security
does not defend against the determined attacker at all, it just makes it
a little more difficult for people to cause trouble. Someone with
physical access to your firewall (or the switch to which your firewall
is connected) is a determined attacker.

I'm not deeply familiar with audits like these, but if they're seriously
asking for port-security on infrastructure ports they have IMHO
misunderstood something. User facing ports: yes maybe. Infrastructure
ports: no.

> 2. someone hijacking the MAC of the firewall from a
> different network interface.

Make sure the VLAN doesn't exist anywhere it shouldn't. If hosts have a
L2 connection to your firewall, secure the access ports with e.g. DAI,
DHCP snooping or static MAC entries.

-- 
Peter




More information about the cisco-nsp mailing list