Video-Demo-Tour

Ask us


I agree to the terms of the Privacy policy
I agree with the provisions on data protection. I agree that Protelion will process the personal data provided by me electronically for the processing of my request and contact me, according to my explicit request, for the processing of my request. I can revoke my consent at any time with effect for the future.

Your request was sent successfully.
We’ll answer you as soon as possible.

OK
EN
DE ES

Home

/
 ... / 

Resources

/
 ... / 

Blog

/
 ... / 
Switch Security

Switch Security

24.09.2024

An Ethernet switch is a device for the interconnection of equipment, whose main function is to communicate two or more devices on a network, using the data frames that are previously exchanged, which contain the source and destination MAC addresses of the connected devices. 

In other words, switches consist of physical network interfaces that generally operate at the Data Link layer (layer 2 of the OSI model). Switches can establish links from one network interface to another very quickly, and are dynamically connection-oriented, switching between their different ports to create those links. 

These connections are established as needed, and do not affect ports that are not involved in the traffic, which helps to eliminate overhead operations between ports that are not involved in the communication. 

Unlike hubs that repeat data frames over all ports except the ingress port, a switch checks a MAC address table to make a forwarding decision. 

MAC Address Table 

Switches can identify and store MAC addresses of all devices on the network reachable through each of their interfaces, which allows them to dynamically build a table of MAC addresses so that they can forward the data frame to a specific device if they find a match between the destination MAC of the received data frame and a record in the address table. 

There are two processes performed for each Ethernet data frame received by a switch:

  • The source MAC address is examined: each incoming frame is checked by inspecting the source MAC address and the port number through which it arrived. If the source MAC address is not in the table, it is added, along with the incoming port number. If it exists, the update timer is reset for that entry (usually kept for a short time).
  • The destination MAC address is examined: it is checked if there is a match between the destination MAC address of the frame and a record in the table; if there is a match, it is forwarded only on the specified port; otherwise, it is forwarded on all ports (broadcast).

For a better understanding, the logical sequence of construction of the MAC address table of a switch can be understood as:

  • The switch receives a broadcast frame from a device connected to one of its network interfaces.
  • The switch records the source MAC address and the port through which the frame was received in its address table.
  • Since the destination address is broadcast, the switch sends the frame through all ports except the port that has received it.
  • The destination device responds with a unicast (for one recipient) frame addressed only to the contacting device.
  • The switch adds to the address table the port on which it received the reply and the destination MAC of the device that replied to the receipt of the frame. 

From now on, the switch can directly send frames to the source and destination devices without using the wide broadcast mode, since it has the MAC address table records and ports associated with both devices. 

Multilayer Switch

In network technology, there is a trend towards a purely Layer 3 (OSI Model) switched environment. When switches were first used in networks, none of them supported routing, but today almost all of them do. The term multilayer is associated with switches that can operate at both layer 2 and layer 3 of the OSI model. 

Traditional switches function as bridges at layer 2 of the OSI model. Their main purpose is to divide a LAN into multiple domains, or in the case of ring networks, to divide it into segments. They base their forwarding decisions on the destination MAC address contained in each received data frame. 

Layer 2 switches allow multiple simultaneous transmissions without interfering with other sub-networks; however, they are unable to filter broadcast or multicast frames, as well as frames whose destination has not yet been included in the routing table. 

On the other hand, layer 3 switches, in addition to the traditional functions inherited from their predecessors, incorporate some routing functions, determination of the shortest path, validation of the integrity of the communication channel, support for traditional routing protocols, as well as the definition of virtual networks (VLAN), and communication between them without using external routing. 

By allowing the joining of segments from different broadcast domains, layer 3 switches are particularly recommended for the segmentation of very large LANs, where the simple use of layer 2 would result in a loss of performance and efficiency, due to the excessive number of broadcasts to be performed. For this reason, multilayer switches are generally implemented at the core and distribution layers of an organization's switched network. 

Switch Interfaces

A simple method to help secure the network against unauthorized access is to disable all ports on the switch interfaces that are not in use. This process can be time-consuming, but it improves network security and is well worth the effort. 

All switch interfaces must be protected before enabling the device for use. One way to protect them is by implementing a process called “port security”. 

This is done by limiting the number of valid MAC addresses allowed on each port, thus enabling access to the MAC addresses of allowed devices, while all others are rejected. 

It is possible to configure the port to allow one or more addresses. If the number of MAC addresses allowed on the port is limited to one, only the device with that specific MAC address can successfully connect through that port. 

If a port is configured as secure and the allowed MAC addresses are determined, any additional connection attempt from unknown MAC addresses triggers a security alert. 

There are several ways to configure port security. The type of secure address is based on: 

  • Static secure MAC addresses: these are MAC addresses that are manually configured to work through a port, and are stored in the address table and added to the running configuration of the switch.
  • Dynamic secure MAC addresses: these are dynamically detected MAC addresses that are stored only in the address table. MAC addresses configured in this way are deleted when the switch is rebooted.
  • Persistent secure MAC addresses: These are MAC addresses that can be dynamically detected or manually configured, and are then stored in the address table and added to the running configuration. 

To configure an interface to convert dynamically detected MAC addresses to persistent secure MAC addresses and add them to the running configuration, persistence learning must be enabled on the switch via a command. 

Security Configuration 

Each interface of a switch can be configured for each of the security violation modes, with the specific action to be taken if a violation occurs in each case. These are: 

  • Protect: when MAC addresses are not allowed for the port, packets with those MAC addresses of unknown origin are discarded. In this case no notification that a security breach occurred is issued.
  • Restrict: when MAC addresses are not allowed for the port, packets with those MAC addresses of unknown origin are discarded. In this case a notification that a security breach occurred is issued.
  • Shutdown: in this mode, a port security violation causes the interface to be disabled, which is automatically deactivated, and no traffic is sent or received through it, and the interface LED will turn off. 

In the event of a security breach on a switch, the network administrator must determine the cause before re-enabling the port. If there is an unauthorized device connected to a secure port, the port should not be re-enabled until the security threat is removed.

 

Back to list

Blog

The Fundamentals of Cybersecurity
16.09.2024
As time goes by, our lives become increasingly intertwined with technology. From online banking to social media, our personal and professional information is stored and transmitted online.
Read more
Secure Network Architecture
12.08.2024
Until recently, network architecture design has only been thought in terms of connectivity and resource and equipment management.
Read more
The Future of Passwords: Are They Becoming Outdated?
12.08.2024
Passwords have been the backbone of digital security for decades, serving as the first line of defense against unauthorized access to sensitive information.
Read more