In the ISO 27001 standard, A.11.4.3 talks about the identification of equipment in networks.Taken from the standard itself, A.11.4.3 states that "Automatic equipment identification should be considered as a means to authenticate connections from specific locations and equipment."
Identification has traditionally been associated with usernames. If I log-in as "aaron", it is assumed that aaron has logged into the system (unless I share my password with someone else). When it comes to networks and network equipment, identification can take place at the data link and network layer.
The scope of this article is restricted to the use of identification to meet A.11.4.3 on a layer 2 switch.
Switches(access) work at layer 2 of the OSI stack. The Data link layer is associated with MAC addresses. Each MAC address is globally unique and it allows the administrators to implement simple identification techniques. On cisco switches, the administrator can configure a concept known as port security. Port security is a concept where an administrator can control the MAC addresses and therefore the machine that can be seen on a particular port. So say for example, you have a 12 port switch, and there are 12 users connected to the switch and you have a concern that an unauthorized person or machine can get access to your network by using any one of those ports. The solution is port security, you bind the legitimate MAC addresses of those machines on the respective ports thereby preventing any other machine from accessing the network.
To enable this feature on your cisco switch, use the following command:
Console> (enable) set port security 2/1 enable 00-90-2b-03-34-08
There are other features present with port security such as setting the maximum number of MAC addresses and the action to be taken in case of violation. Further information regarding these can be found at the following link
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/5.x/configuration/guide/sec_port.html
(One of the caveats with this solution though is that a motivated hacker can spoof your MAC address using software and manage to get access to your network.)
Management of the switch can also be controlled through the use of ACL's. This is what the control in the standard also refers too. An administrator can decide which management stations can initiate connections to the switch over telnet or any other management protocol.
Use the following commands to restrict telnet access to the switch to certain IP's only.
Switch(config)#acess-list 10 permit 10.20.1.5
Switch(config)#line vty 0 4
Switch(config-line)#access-class 10 in
where 10.20.1.5 is the machine which should be given access to the switch.
The above two steps on the switch is one of the ways that network devices can work towards getting compliant with A.11.4.3
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment