Moses' Security
  • Blog
  • Linux
  • Windows
  • Networking
  • About

Blog Posts

Enabling Port Security on a Cisco Switch

4/27/2019

1 Comment

 
CAM table overflows typically are an attack of the past, however that does not mean that we should forget about them. After all once a vulnerability has been found we cannot assume that future devices won't be vulnerable to this threat. In short, CAM table overflows are the idea of an attacker flooding a switch's MAC address table with bogus addresses, thus leading the switch to enter into a flood 'all traffic on all ports' state. This can create a DOS or allow the attacker to sniff traffic.
The best solution to this vulnerability is Port Security and the configuration is quiet simple, all you need is a Cisco switch.

Below we will walk through setting up port security on 24 ports to allow a maximum of 2 MAC addresses, to save already existing MAC addresses, and to shutdown the port if this violation occurs. 
Default configuration: Please note that be default Port Security is set to memorize only one MAC address and shutdown the port if this violation occurs.

moses-switch> enable
moses-switch# configure terminal
moses-switch(config)# ! grouping the range of ports, from 1 to 24
moses-switch(config)# int range gigabitEthernet0/1-24
moses-switch(config-if-range)# ! setting all of the ports to be access mode
moses-switch(config-if-range)# switchport mode access
moses-switch(config-if-range) # ! setting the maximum number of mac addresses allowed
moses-switch(config-if-range)# switchport port-security maximum 2
moses-switch(config-if-range) # ! saving the already existing MAC addresses for port security
moses-switch(config-if-range)# switchport port-security mac-address sticky 
moses-switch(config-if-range)# ! setting the ports to shutdown if more than two MAC addresses is received
moses-switch(config-if-range)# switchport port-security violation shutdown 
moses-switch(config-if-range)# ! Lastly starting up the service itself
moses-switch(config-if-range)# switchport port-security 


Now please note that you can enable port security on a trunk, however regardless of the port it must be static, meaning that the switchport cannot be set to dynamic.
In addition, please note that while this example is shutting down the the port, in an enterprise environment it might be best to restrict or protect the port instead and set up an SNMP trap to alert an administrator of a potential problem. Also please note that this is just the tip of the iceberg, as port security can even rate limit and limit the number of MAC addresses saved for a VLAN.
1 Comment

    Archives

    January 2020
    June 2019
    April 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018

    Categories

    All
    Cisco
    CTF
    Firewalls
    Linux
    Networking
    Penetration Testing
    Security Defense
    VulnHub
    Windows

Hope you have enjoyed your stay! Come back again!
​This site is under constant (slow) construction. Thank you for your patience.
Created by Moses J. Arocha ©
  • Blog
  • Linux
  • Windows
  • Networking
  • About