Port Security

Port Security

  • Definition: Port security refers to the security measures applied to individual interfaces on a network switch or connections to wireless access points.

  • Usage: Port security can be utilized without explicit knowledge by users; for instance, when connecting to a wired or wireless network that prompts for a username and password before allowing access.

  • Effectiveness:

    • It is an effective method for securing wireless networks by ensuring authentication is required before accessing network resources.
    • Port security is not limited to wireless networks but is also applicable to traditional wired switches.

Underlying Protocols

  • EAP (Extensible Authentication Protocol):
    • EAP is the protocol that underpins port security, functioning as a framework for authentication applicable across various types of networks and connections.
    • Utility for Manufacturers: Wireless manufacturers can configure EAP to work seamlessly with their wireless access points, and similarly, wired switch manufacturers can enable EAP on their switches for integrated functionality.

Common Integration with EAP

  • 802.1X:

    • 802.1X is an IEEE standard designed to manage the authentication process for users and devices accessing a network.
    • Often referred to as NAC (Network Access Control) or port-based Network Access Control.

  • Network Access Process:

    • Access to a network is restricted until a user successfully authenticates using 802.1X.

Authentication Workflow

  • Components Involved:
    • Supplicant: The end user client device requesting access to the network.
    • Authenticator: The switch or access point the supplicant is trying to connect to.
    • Authentication Server: A backend database containing authentication credentials; could include Active Directory (accessible via Kerberos or LDAP), RADIUS, or TACACS+ databases.

Process Steps**:

  1. Initial Connection:

    • When the supplicant connects, no authentication occurs and access to the network is denied by the authenticator until authentication is fulfilled.

  2. EAP Request:

    • The authenticator detects the initialization and sends an EAP request to the supplicant, prompting for login credentials.

  3. EAP Response:

    • The supplicant replies with an EAP response that includes the identifier of the device seeking network access.

  4. Request Processing:

    • This response is relayed from the authenticator to the authentication server, which assesses the login submission for validity.
    • If the server permits logins, it will send an additional request back to the authenticator for supplementary details needed for further authentication.

  5. Additional Detail Request:

    • The authenticator requests the necessary additional details from the supplicant for authentication purposes.

  6. Credentials Submission:

    • The supplicant sends in the required credentials (e.g., username and password).

  7. Credential Confirmation:

    • The authenticator then forwards these credentials to the authentication server to check their correctness.
    • If all submitted credentials match those in the database, the authentication server confirms successful login.

  8. Access Granted:

    • Upon successful authentication, the authentication server instructs the authenticator to grant network access to the user.