Branch Router Port Security

  • 1
  • Question
  • Updated 3 years ago
  • (Edited)
Can someone please offer the best method of port security for an access port on a branch router when .1x authentication is not an option?

Is the routers layer 2 firewall the only option? (not entirely happy with MAC authentication)

EXAMPLE - If a customer has an office in a shared building location what can you do to stop someone connecting to an access port on the branch router (other than physical security).

Regards
Nick
Photo of Nick Shipway

Nick Shipway

  • 5 Posts
  • 0 Reply Likes

Posted 3 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
802.1X is the standard by which port security is meant to take place.

Where a client doesn't implement it, the only other option therefore is MAC address authentication with all the inherent limitations caused by how easily they are to spoof.

Isolation once a port is authorised is your best bet for such devices, stick them in a MAC authed-only VLAN and apply a L2 and L3 firewall to constrain things as appropriate.

This is unavoidably labour intensive and error prone. Security in this area is all about tradeoffs and where priorities fall when competing desires are equated/balanced.

Even 802.1X in most deployments actually has many limitations. (Prior to 802.1X-2010 with 802.1AE (MACsec), traffic isn't encrypted and it's therefore possible to piggy back off another client or MITM if you know what you're doing...)

If you want even tighter protection, you'll need to look at implementing things like IPsec on all the security sensitive clients therefore.
(Edited)
Photo of Nick Shipway

Nick Shipway

  • 5 Posts
  • 0 Reply Likes
Thank you for your response Nick,

I was looking for something more elegant and suspected this was the case.

Thanks again.
N