Switch Port Security – CompTIA Network+ N10-006 – 3.3


Our network switches often include many different security features. In this video, you’ll learn about DHCP snooping, dynamic ARP inspection, MAC limiting and filtering, and VLAN segmentation.
<< Previous: Anti-Malware SoftwareNext: Security Policies >>


All of your devices are connecting to your network switches. So this is a great place to start adding additional security features. In this video, we’ll look at a number of security techniques that are built in to our network switches.

We spend a lot of time building a very secure perimeter between the outside and the inside of our network. We want to put everything we can between those so that somebody who’s on the outside is not able to access any of the resources on the inside of our network. But if you’re already on the inside of the network, it’s pretty open. You can access nearly any device without passing through any type of security component in between.

We can do this by going through any of your copper, your fiber connections, even wireless is a great way to communicate inside of an organization. And it’s one where you really have to be concerned about security since wireless networks can be easily accessed from outside of your physical building. It’s also easy inside of the building to connect to almost any interface. If you’re not using network access control, you can walk into a conference room, plug into any ethernet connection, and you’re now on the inside of your network.

DHCP snooping is a way to prevent unauthorized DHCP servers or people trying to use static IP addressing to access devices on the inside of your network. This is usually a capability that is enabled on a layer 2 device. It’s on your switch. The switch effectively acts as a DHCP firewall. It’s listening for all of the DHCP communication that’s taking place on your network. There are a number of devices that you will trust with this DHCP snooping.

Your switch will trust routers. It will trust other switches. And it will trust the known DHCP servers that are on your network. Everything else is effectively untrusted, other computers. Other DHCP servers that are suddenly appearing on the network would automatically be put in the untrusted column.

Your switch will now do the actual snooping. It will listen in for DHCP communication. And it begins adding a list of what devices have gotten an IP address. And what that IP address happens to be. And it knows devices that have not been given an IP address via DHCP. It’s going to filter out anything then that would not be normal DHCP communication. It will get rid of anybody using a static IP address on the network. If a server is brought onto the network that is running DHCP but it’s not part of the trusted list, it will filter those out. And it will filter out anything else that’s sending invalid traffic patterns on your network, especially as it relates to DHCP.

Another security feature that you can have inside of your switch is Dynamic ARP inspection or DAI. This is really focusing around the ARP protocol, which has no security built into it. And it’s very often used in ARP poisoning and man-in-the-middle attacks. This is being used in conjunction with DHCP spoofing because now you know all of the IP addresses on your network and the MAC addresses that are associated with those IP addresses. And all this information can be used to look at someone who may be using ARP inappropriately.

The switch knows all of the different combinations of IP addresses to MAC addresses and if any of those are suddenly incorrect, it’s going to drop those packets. Only valid information is now going to go through, and this will prevent anybody from spoofing an address and using ARP poisoning to be able to sit in the middle of a conversation.

MAC stands for Media Access Control. And it is effectively the physical address that’s inside of our network interface cards. Every card has a different MAC address inside of it, which means each one of these interfaces can be individually identified. What MAC limiting and MAC filtering does is keep a list of everybody on your network and what their MAC addresses are. And if another device happens to appear on your network or another device tries to spoof a MAC address on your network from a different interface, then MAC filtering will identify that and filter out all of that traffic from your network.

In this way you’re able to limit the impact that somebody might have in trying to spoof or pretend to be somebody on the network who they’re really not. Another security technique that’s built into your switches is virtual LANs or VLAN assignments. You can segment your network into smaller pieces and keep the security segmented within all of those. So you might have a VLAN for the marketing department, the accounting team, and shipping and receiving, and you’d put all of their local resources on their individual VLAN. You would also then limit the communication from VLAN to VLAN, thereby creating a more secure network.

How you decide to segment is going to depend a lot on your network configuration. You might have load balancers, and web servers, and database servers, and you may need to segment those in different ways. By segmenting through VLANs, you’re doing the segmentation on the same physical device. In some environments you may need even more separation, where you have what’s effectively an air gap. You have a separation of devices themselves. But if you want to have everything consolidated into a single switch, you can easily use VLANs to provide the segmentation.