Securing access layer

sudip.acharya1 · ‎07-23-2013

Hi,

I am looking for ways to secure the access layer. So far, I have port-sec, DTP disabled, unused ports shut, and other ports in a vlan that is not trunked.

Obvioulsy, spoofing MAC's to overcome Port-sec is not that difficult, so what else can be done to secure the access layer? I read something related to using PVLAN's???

Any other tips/advice is appreciated.

Thanks.

shanilkumar2003 · ‎07-23-2013

Hi sudip,
Private vlan is used to restrict communication within a vlan(subnet).
We will configure subvlans inside the main(primary vlan).
There are 3 points
community -- ports assigned to community vlan can talk each other
Isolated -- cannot talk to any other ports except promiscous port
Promiscous --port connected to the router
Community and isolated vlan can talk to promiscous port

If you have dhcp server you can have dhcp snooping to protect from rouge dhcp servers. Also you ca opt to configure bpduguard ,loopguard , root guard to kepp the integrity of STP. Udld also good feature to avoid loops if you have fiber links.

Hopes this helps

Thanks
Shanil

Sent from Cisco Technical Support iPhone App

shanilkumar2003 · ‎07-23-2013

In addition to the above you can have 802.1x authentication for users for secure access layer
Regrads
Shanil

Sent from Cisco Technical Support iPhone App

sudip.acharya1 · ‎07-23-2013

Thanks Shanil.

How would using PVLAN at the access layer help protext my network from access layer attacks if someone were to bypass Port-sec?

I am a bit confused with the PVLAN concept.

schaef350 · ‎07-23-2013

I don't know that you would need PVLANs to be honest. They will prevent hosts on the same subnet from talking (unless using the router) ie network printers talking to hosts, etc. PVLANs are doable but may cause issues unless you need to isolated everyhost.

What is the purpose of the network you are building and securing?

- Be sure to rate all helpful posts

shanilkumar2003 · ‎07-23-2013

Dear sudip,

as Schaef mentioned private vlans are used to restrict , isolate traffic within a vlan. Why would anyone need Private VLANs?
Commonly, this kind of configurations arise in “shared” environments, say ISP co-location, where it’s beneficial to put multiple customers into the same IP subnet, yet provide a good level of isolation between them.
For securing access layer you can have lot of features as mentioned before

Please go through the below link for more on provate vlan config
http://blog.ine.com/2008/01/31/understanding-private-vlans/
http://blog.internetworkexpert.com/2008/07/14/private-vlans-revisited/

Please rate helpful posts..

Thanks
Shanil

Sent from Cisco Technical Support iPhone App

sudip.acharya1 · ‎07-23-2013

Guys,

Correct, thats what my understanding of PVLANS was but I heard a network engineer with one of the company's we are hiring to do a sec audit ask if we used PVLAN to further increase security on ports (beyond port-sec) available to non-employees/guests.

What are some ways to secure ports if someone were to spoof mac's and fool port-sec?

schaef350 · ‎07-23-2013

If you use 802.1X you don't have to count on mac addresses and could use a more advanced method of authentication. Mac auth bypass is the 802.1x method that is succeptable to mac spoofing as I understand it. Thats typically not the default method anyhow...

You could issue certificates to users and/or computers and know who is on what port for sure then. Username / password authentication would be and option as well. I'm not an 802.1x expert though unfortinatly.

- Be sure to rate all helpful posts

sudip.acharya1 · ‎07-23-2013

Thanks guys for your inputs.

Elton Babcock · ‎07-23-2013

At the company I work for we use 802.1x on all of our access layer switches. We use machine certificates that authenticate back to a RADIUS server.

We the. Use MAC auth bypass to authentication non 802.1x capable machines such as printers and other random devices.

It works pretty well but takes some time
To get right and keep it maintained.

Sent from Cisco Technical Support iPhone App