From the course: CompTIA Security+ (SY0-701) Cert Prep

Switch configuration security

From the course: CompTIA Security+ (SY0-701) Cert Prep

Start my 1-month free trial

Switch configuration security

- [Instructor] Network administrators should also be concerned about the security of switches under their care. One of the most important security tasks surrounding switches is maintaining the physical security of the device. Unlike routers which are normally centrally located in secure data centers or network rooms, switches are generally spread all over the place, providing connectivity at the edge of the network in every building and floor throughout an organization. From a security perspective, this can be a nightmare because it's critical to keep those switches locked away where nobody can physically access them without authorization. And the reason for this is simple. If someone gains physical access to your switch, they can take physical control of that portion of the network. Now, earlier in this course, you learned how virtual lands or VLANs may be used to increase the security of networks by isolating unrelated users from each other. Switch administrators should implement some common practices to ensure the secure implementation of VLANs. First, VLAN pruning is a good practice. You might recall that switches use a technology known as VLAN trunking to carry VLANs across the many switches that make up a network. This allows any switch port on the network to join any VLAN trunked to that switch. A best practice for networking is to implement the least privilege rule and only trunk VLANs to switches if the VLAN is needed on that switch. This requires a little more work on the part of network administrators, but it also reduces the impact of a compromised switch. For example, if you have a VLAN for the sales department, and the sales department is contained only within a single building, you should trunk that VLAN within that building, but not into any other buildings. Second, malicious users may attempt an attack known as VLAN hopping to switch from their authorized VLAN, to one containing resources that they would like to attack. They may do this through a variety of means, but most rely upon pretending to be a switch and asking the switch to trunk VLANs to the malicious user's device. The countermeasures for this attack vary from device to device, but generally speaking, you should configure your switches to deny automatic VLAN trunk negotiation and only trunk VLANs when explicitly authorized by a network administrator. Finally, switch administrators may wish to implement a technology known as port security. This protects against attackers disconnecting an authorized device from the wired network, and replacing it with a rogue device that may eavesdrop on other users or attempt to access secure network resources. Port security works by limiting the MAC addresses that may be used on a particular switch port, and requiring administrator intervention to change out a device. Port security works in two different modes. In static mode, the administrator manually configures each switch port with the allowable MAC addresses. This is very time consuming, but this MAC filtering approach is the most secure way to implement port security. In dynamic or sticky mode, the administrator enables port security, and then tells the switch to memorize the first MAC address that it sees on any given port, and then restrict access to that MAC address. This makes configuration much faster, but can be risky if you have unused, but active switch ports. DHCP snooping is another switch level security control that you may implement on your network. This technology allows the switch to inspect DHCP messages to ensure that they're properly formatted and that they're coming from authorized DHCP servers. DHCP snooping can block unauthorized or malformed DHCP messages to better preserve network security.

Contents