Section 16.151 Port Security Flashcards
Objective 3.2 Given a scenario, you must be able to apply security principles to secure enterprise architecture. Objective 4.5 Given a scenario, you must be able to modify enterprise capabilities to enhance security
Port Security
A network switch feature that restricts device access to specific ports based on MAC addresses
■ Enhances network security by preventing unauthorized devices from connecting
Network Switches
■ Networking devices that operate at Layer 2 of the OSI model
■ Use MAC addresses for traffic switching decisions through transparent bridging
■ Efficiently prevent collisions, operate in full duplex mode
■ Remember connected devices based on MAC addresses
■ Broadcast traffic only to intended receivers, increasing security
CAM Table (Content Addressable Memory)
Stores MAC addresses associated with switch ports
■ Vulnerable to MAC flooding attacks, which can cause the switch to fail open
Port Security Implementation
■ Associate specific MAC addresses with interfaces
■ Prevent unauthorized devices from connecting
■ Can use Sticky MACs for easier setup
■ Susceptible to MAC spoofing attacks
802.1x Authentication
Provides port-based authentication for wired and wireless networks
Requires three roles:
● Supplicant: Device of the user request access to your network
● Authenticator: this is the device through which the supplicant is attempting to access the network such as a wirless switch or VPN concentrator
● Authentication server: which is going to be our centralised device
that performs the authentication. This is usually going to be configured as a RADIUS or TACACS+ server.
■ Prevents rogue device access
RADIUS vs. TACACS+
■ RADIUS is cross-platform, while TACACS+ is Cisco proprietary
■ TACACS+ is slower but offers additional security and independently handles authentication, authorization, and accounting
■ TACACS+ supports all network protocols, whereas RADIUS lacks support for some
EAP (Extensible Authentication Protocol)
■ A framework for various authentication methods
■ Has different variants which have their own features
EAP (Extensible Authentication Protocol)
EAP-MD5
○ Uses simple passwords and the challenge handshake authentication process to provide remote access authentication
○ One-way authentication process
○ Doesn’t provide mutual authentication
EAP (Extensible Authentication Protocol)
EAP-TLS
○ Uses public key infrastructure with a digital certificate which is installed on both the client and the server
○ Uses mutual authentication
EAP (Extensible Authentication Protocol)
EAP-TTLS
○ Requires a digital certificate on the server, but not on the client
○ The client uses a password for authentication
EAP (Extensible Authentication Protocol)
EAP-FAST
Uses protected access credential, instead of a certificate, to establish mutual authentication
EAP (Extensible Authentication Protocol)
PEAP
○ Supports mutual authentication using server certificates and Active Directory databases to authenticate a password from the client
EAP (Extensible Authentication Protocol)
EAP-LEAP
Cisco proprietary and limited to Cisco devices
Cisco devices only
