1 00:00:00,960 --> 00:00:07,410 In this video we're going to discuss port security which is used to provide a level of authentication 2 00:00:07,770 --> 00:00:13,110 in an Ethernet environment in a wired ethernet environment as an example. 3 00:00:13,110 --> 00:00:19,630 There's nothing stopping you simply plugging in your PC into any open port in the network. 4 00:00:19,680 --> 00:00:27,390 So as an example there's nothing stopping a user connecting their PC to a port in a director's office 5 00:00:27,750 --> 00:00:32,110 which then results in them having access to the director's villain. 6 00:00:32,190 --> 00:00:39,060 There's also nothing stopping a user connecting a wireless access point to the network and allowing 7 00:00:39,060 --> 00:00:44,310 multiple users to access the wired network through that wireless access point. 8 00:00:44,580 --> 00:00:46,790 That's a major security risk. 9 00:00:46,800 --> 00:00:53,070 What port security does is it looks at the source MAC address of frame's received on a port and you 10 00:00:53,070 --> 00:01:00,540 can restrict the frames are allowed on a specific port to either a single MAC address that you configure 11 00:01:00,900 --> 00:01:05,890 or to a limited number of MAC addresses that are dynamically learnt. 12 00:01:05,910 --> 00:01:07,920 There are various options which we'll discuss. 13 00:01:07,920 --> 00:01:15,090 But as an example you could say on the port that connects to the director's office only the MAC address 14 00:01:15,090 --> 00:01:22,050 associated with their laptop or their PC is allowed to send frame's to the switch and therefore belong 15 00:01:22,080 --> 00:01:24,610 to the directors of the land. 16 00:01:24,810 --> 00:01:30,750 Or you could limit the number of MAC addresses allowed in a port as an example you could limit the number 17 00:01:30,750 --> 00:01:37,750 of MAC addresses to one which would only allow a single PC to access the network through that port. 18 00:01:38,040 --> 00:01:45,180 Or if you have a PC connected to an IP phone you may limit the MAC addresses to three 2 for the IP phone 19 00:01:45,690 --> 00:01:48,800 and one for the PC attached to the IP phone. 20 00:01:48,960 --> 00:01:56,280 That would stop a user connecting an access point or a hub to the network and allowing multiple unauthorized 21 00:01:56,280 --> 00:01:59,590 devices access to the ethernet network. 22 00:01:59,610 --> 00:02:03,570 Please note this is not to use any cation user. 23 00:02:03,660 --> 00:02:07,200 Any question can be implemented using Ada to that one x. 24 00:02:07,200 --> 00:02:13,920 This is a more basic authentication based on MAC addresses so only frames from specific MAC addresses 25 00:02:14,010 --> 00:02:21,150 are allowed or a limited number of MAC addresses are permitted on a port on a switch that solves the 26 00:02:21,150 --> 00:02:26,310 issue of a user connecting to a port that they are not authorized to connect to. 27 00:02:26,640 --> 00:02:33,000 Stopping a user connecting a hub a wireless access point to the network and therefore allowing unauthorized 28 00:02:33,000 --> 00:02:34,880 access to the network. 29 00:02:35,300 --> 00:02:40,200 You can decide what happens when there's a violation of port security. 30 00:02:40,200 --> 00:02:45,990 You could simply drop the frames or you could shut the port down using what's called an error or disable 31 00:02:45,990 --> 00:02:50,970 state in the most secure implementation where you disable the port. 32 00:02:51,000 --> 00:02:56,870 You as an administrator have to manually re-enable the port so the user would have to contact the helpdesk 33 00:02:56,890 --> 00:03:01,340 as an example and explain that they no longer have access to the network. 34 00:03:01,470 --> 00:03:07,080 And then you could investigate what happened and you'd be able to see if an authorized MAC address or 35 00:03:07,470 --> 00:03:11,470 group of MAC addresses of tried to access the network through that port. 36 00:03:14,960 --> 00:03:20,910 Port security is one of multiple security mechanisms that you can implement in a network. 37 00:03:21,110 --> 00:03:25,520 Security is kind of like a castle of old as shown here. 38 00:03:25,520 --> 00:03:32,300 The idea is is that you have multiple security mechanisms that in of themselves don't provide total 39 00:03:32,300 --> 00:03:40,330 security but each layer of security or each mechanism adds a nother level of security. 40 00:03:40,340 --> 00:03:45,460 So in this example you'd have to get across the sea to get to the castle. 41 00:03:45,650 --> 00:03:51,420 Then you'd have to scale the outer wall and you still not at the core of the castle. 42 00:03:51,560 --> 00:03:58,880 You'd have to climb up this hill and then scale the inner wall to be able to get to the king in the 43 00:03:58,880 --> 00:04:00,450 castle as an example. 44 00:04:00,710 --> 00:04:07,130 So in security you implement multiple walls or mechanisms to make it harder for a hacker to attack your 45 00:04:07,130 --> 00:04:08,120 network. 46 00:04:08,120 --> 00:04:14,900 This also applies to users who inadvertently or without being malicious do something that they shouldn't 47 00:04:14,910 --> 00:04:16,250 on your network. 48 00:04:16,250 --> 00:04:19,770 So port security isn't a catch all security mechanism. 49 00:04:19,850 --> 00:04:27,560 It's just one of many and provides a basic or entry level security mechanism to your network Ethernet. 50 00:04:27,560 --> 00:04:30,830 Once again has no security built into it. 51 00:04:30,830 --> 00:04:37,860 A user could simply plug a laptop into your network and gain full access to the network now there's 52 00:04:37,870 --> 00:04:41,090 several ways that MAC addresses can be learnt. 53 00:04:41,330 --> 00:04:47,750 The first a static way you statically configure specific MAC addresses that are allowed or permitted 54 00:04:47,750 --> 00:04:53,510 on a port any mac addresses that you don't specify on not allowed on the port. 55 00:04:53,510 --> 00:04:57,980 The advantage with this method is that you have a lot of control but the disadvantage is that you have 56 00:04:57,980 --> 00:05:05,660 to manually work out what the MAC addresses are of all your devices and then manually configure them. 57 00:05:05,690 --> 00:05:11,570 You could also use dynamic learning where you specify how many MAC addresses are permitted on a port 58 00:05:12,020 --> 00:05:13,970 and they are dynamically learned. 59 00:05:14,210 --> 00:05:19,220 So as an example you could say that only two MAC addresses are permitted on a port and the first two 60 00:05:19,220 --> 00:05:24,710 MAC addresses that are learnt are permitted any subsequent MAC addresses are not permitted you would 61 00:05:24,710 --> 00:05:31,220 use this as an example to limit the MAC addresses permitted but not to which MAC addresses are permitted 62 00:05:31,500 --> 00:05:38,970 so you are limiting the number of MAC addresses and not a limiting based on specific MAC addresses. 63 00:05:38,990 --> 00:05:44,540 The thing to remember about Domenica learning is that when the switch is rebooted while the port goes 64 00:05:44,540 --> 00:05:51,200 down the MAC addresses learnt are removed and new MAC addresses would then be permitted when the port 65 00:05:51,200 --> 00:05:52,440 comes up again. 66 00:05:52,460 --> 00:06:00,570 You could also specify a aging interval to allow MAC addresses to be forgotten after a period of time. 67 00:06:00,620 --> 00:06:07,100 So if you had a situation where you had a hot desk or a board room you may only allow a certain number 68 00:06:07,100 --> 00:06:11,820 of MAC addresses on a port but those MAC addresses can change over time. 69 00:06:11,840 --> 00:06:16,850 You can also do a combination of static and dynamic learning where you explicitly permit certain MAC 70 00:06:16,850 --> 00:06:17,880 addresses. 71 00:06:17,930 --> 00:06:24,440 So as an example you could limit the number of MAC addresses on a port to four but only statically configured 72 00:06:24,470 --> 00:06:29,410 to MAC addresses the remaining two MAC addresses can be dynamically learned. 73 00:06:29,690 --> 00:06:35,360 The static at MAC addresses do not a jot but you could allow the dynamically learnt MAC addresses to 74 00:06:35,360 --> 00:06:44,030 a jot stickie learning allows you to automatically add a learnt MAC address to the running configuration 75 00:06:44,030 --> 00:06:44,950 of the switch. 76 00:06:45,230 --> 00:06:50,150 So rather than statically configuring MAC addresses you could allow the switch to learn MAC addresses 77 00:06:50,540 --> 00:06:56,820 and then add them to the configuration when you save your running configuration to start up configuration. 78 00:06:56,990 --> 00:07:03,290 Those MAC addresses will be kept in nv ram and therefore won't be lost if the switch reboots. 79 00:07:03,350 --> 00:07:05,250 So there are various options. 80 00:07:05,270 --> 00:07:09,660 Remember port security is an initial way to implement security. 81 00:07:09,680 --> 00:07:16,190 It allows you to limit the number of MAC addresses permitted on a port and it allows you to specify 82 00:07:16,460 --> 00:07:19,840 which MAC addresses are permitted on a port. 83 00:07:19,880 --> 00:07:24,590 You have the option of just limiting to MAC addresses on a port but not worrying what those MAC addresses 84 00:07:24,590 --> 00:07:25,210 are. 85 00:07:25,400 --> 00:07:32,180 They would stop a user bringing a access point or home router to work and plugging it into the network 86 00:07:32,510 --> 00:07:35,280 and allowing the friends to access the network. 87 00:07:35,480 --> 00:07:43,040 Or you could be strict and only allow specific MAC addresses on a port so a user can't connect to a 88 00:07:43,040 --> 00:07:47,360 director's port and therefore have access to the director's view and.