Stop Network Scans at Your Switch

TL;DR

Network scans can be a sign of someone probing your network for vulnerabilities. This guide shows you how to use features on your switch to detect and block these scans, improving your cyber security.

How to Block Network Scanning Attempts at the Switchport

1. Understand Port Security: Most managed switches have a feature called ‘Port Security’. This lets you control which MAC addresses are allowed to connect to each port. It’s our main tool here.
   • Static MAC Addresses: You manually tell the switch exactly which MAC address is permitted on that port. This is best for devices with fixed MAC addresses (like printers or servers).
   • Dynamic MAC Addresses: The switch learns the MAC address of the first device that connects and allows only that one. This is useful for computers, but less secure if someone changes their MAC address.
2. Configure Port Security (Static Method – Recommended):
   1. Access your Switch: You’ll need to log into the switch’s management interface. This is usually done through a web browser or using SSH/Telnet.
   2. Find the Port Security Settings: The exact location varies by switch manufacturer (Cisco, HP, Netgear etc.). Look for sections like ‘Port Security’, ‘MAC Filtering’, or similar.
   3. Enable Port Security on the Target Port: Select the port you want to protect.
   4. Set the MAC Address(es): Enter the MAC address of the device that *should* be allowed on this port. You can usually add multiple addresses, but keep it minimal for security.

      interface GigabitEthernet0/1
       switchport mode access
       switchport port-security
       switchport port-security mac-address 0011.2233.4455
       switchport port-security violation restrict
      

   5. Set the Violation Mode: This determines what happens when an unknown MAC address tries to connect.
      • Restrict: Drops packets from unknown MAC addresses and logs the event. This is a good starting point.
      • Protect: Disables the port completely. More secure, but can cause downtime if configured incorrectly.
      • Shutdown: Completely disables the port and requires manual re-enablement. Most secure, but most disruptive.
3. Configure Port Security (Dynamic Method):
   1. Follow steps 1-3 from above.
   2. Enable port security and allow dynamic learning of the MAC address.

   interface GigabitEthernet0/2
    switchport mode access
    switchport port-security
    switchport port-security mac-address sticky
    switchport port-security violation restrict
   

Enable Port Security Violation Logging: Make sure your switch is logging port security violations. This will help you identify scanning attempts.

• Check the switch’s system logs for messages related to ‘MAC address violation’, ‘Port Security violation’, or similar.

Consider 802.1X Authentication: For higher security, use 802.1X authentication (if your switch and devices support it). This requires users to authenticate before gaining network access.

Monitor Your Logs Regularly: Check the switch logs for any unusual activity. Frequent port security violations could indicate a targeted attack.

Important Notes:

• Always test changes in a non-production environment first.
• Document your Port Security configuration carefully.
• Port Security is not a replacement for other cyber security measures like firewalls and intrusion detection systems. It’s one layer of defence.