The main benefit of IP-based security has always been how easy it is to make systems operate successfully over a single network. That benefit might also be IP security’s biggest Achilles heel. Consider: Once access is gained, interoperability means all systems can be adversely affected without much effort by a malefactor.
Preventing unauthorized access has become paramount from a cybersecurity perspective. Any company that uses IP addressable devices should be concerned and needs to provide some form of unauthorized network access prevention. Today’s managed Ethernet switches — usually layer 2 in the Open Systems Interconnection (OSI) reference model — have built-in security features.
Layer-2 managed switches can typically implement port security, which consists of checking incoming packets for a matching MAC address. If a packet with a valid MAC address is received on a particular port, the switch will allow that packet to pass through the switching fabric of the switch as normal. With this method it is therefore possible to easily implement basic port security to prevent an intruder from removing the original device and replacing it with a device designed for network intrusion.
It can also protect against cutting the cable from the original device and connecting it to the intruder’s own network intrusion device to gain network access. This level of protection is common among most layer-2 managed switches on the market today, and indeed all ComNet managed switches support this capability as standard. This feature is referred to by many names, including (but not limited to) the following: port locking, MAC locking, port security and MAC filtering.
The issue with the traditional layer-2 MAC filtering/locking is that it can be defeated with relative ease in a matter of minutes by using readily available software that can artificially alter — or “spoof ” — the MAC address of the sender to match whatever the potential intruder wants. IP address spoofing or IP spoofing is the creation of IP packets with a false source IP address. The intent here is to hide the identity of the sender or impersonate another computing system. This allows the network to be fooled, giving access to the hacker.
There is a simple solution to preventing unauthorized access when designing a modern IP-based security system. Devices can be installed on the edge that sense and lock out a port when a physical connection to the network is broken. Before that broken connection can be activated it must then be examined and reset. This simple check can prevent all sorts of unauthorized access and cannot be defeated.
One example is Port Guardian, a feature unique to ComNet’s next generation of self-managed switches and managed switches. This firmware-based feature is a simple, yet effective way to prevent unauthorized access. Because the firmware is embedded, it can be retrofitted to the manufacturer’s select older switches. At the basic level, Port Guardian works as a layer-1 protection system so the actual data being sent on the port is not important and the switch does not need to know anything about it. This feature constantly monitors the enabled ports.
As soon as it detects that a cable has been unplugged or there is a link down event, the port will be immediately disabled and the network administrator notified via an SNMP alert (and optionally by a local contact relay if supported on the particular switch model) to the potential intrusion. When active, Port Guardian monitors the continuity of the connection to the IP device. As soon as that continuity is disrupted, the safeguard feature physically disconnects the port from the network and an SNMP notification is sent to the head end to be examined.
This feature also thwarts spoofing by disabling the port as soon as an interruption is sensed. It works on any network that uses IP devices at the edge, be it an IP camera or an access control or intrusion device. Through any external network TX port, an experienced hacker can gain access to your network and control the devices connecting to it. This has the potential for the entire security system to be turned off. That includes any or all video surveillance, access control, intrusion alarm, intercom and other networked protection systems. Prevention by adding a feature to Ethernet switches is an easy way to stop hackers and should be an important part of every network design and deployment.