Domain 3 · 3.2 Securing Enterprise Infrastructure

3.2.3 Port Security

802.1X, EAP.

17 min

Port security and network access control ensure that only authorized devices and users can connect to physical and logical network ports.

IEEE 802.1X and PNAC Port-based Network Access Control (PNAC) provides an authentication mechanism for devices wishing to attach to a LAN or WLAN. It prevents unauthorized "rogue" devices from gaining a physical connection to the network infrastructure. - Supplicant: The client device (laptop, phone, workstation) requesting access to the network. - Authenticator: The network device, typically a managed switch or Wireless Access Point (WAP), that acts as a gatekeeper. It does not allow traffic beyond the handshake until the user is verified. - Authentication Server: Usually a RADIUS or TACACS+ server that validates the credentials provided by the supplicant and tells the authenticator whether to open or close the port.

Extensible Authentication Protocol (EAP) EAP is an authentication framework used within 802.1X to transport various authentication methods across point-to-point links and networks. - EAP-TLS: Uses Digital Certificates on both the client and the server. This is considered the most secure but requires a functional Public Key Infrastructure (PKI). - EAP-TTLS: Tunneled TLS; only the server requires a certificate. It creates a secure tunnel to protect weaker authentication methods like passwords. - PEAP (Protected EAP): Developed by Cisco, Microsoft, and RSA. It encapsulates EAP within an encrypted TLS tunnel. Like TTLS, it typically only requires a server-side certificate. - EAP-FAST: Flexible Authentication via Secure Tunneling; uses a Protected Access Credential (PAC) instead of certificates to establish a secure tunnel.

MAC Filtering and Port Security Layer 2 security involves controlling traffic based on physical hardware addresses. - MAC Filtering: A list of allowed MAC addresses configured on a switch or WAP. While simple, it is easily bypassed via MAC Spoofing. - Port Security (Sticking): Configures a switch port to "learn" the MAC address of the first device connected (Sticky MAC) and shut down the port if a different MAC address is detected later. - Loop Protection: Implementing Spanning Tree Protocol (STP) to prevent broadcast storms caused by physical loops in the port infrastructure.

Quick Recall - Trigger: "Certificate on both client and server" -> EAP-TLS. - Role: The switch in an 802.1X setup is the Authenticator. - Function: 802.1X ensures Confidentiality and Integrity by verifying identity before granting network access. - Protocol: RADIUS is the most common AAA backend for 802.1X. - Security Posture: Port security is a fundamental Technical Control in maintaining an organization's overall security status.