How IP and Mac are bound to the switch port

Information security managers want to have a security incident not only can navigate to the computer, but also to locate the user's actual location, the use of Mac and IP binding is a common way, the IP address is the computer "name", the network connected to use this name; the MAC address is the "ID card number" It will not be the same, because the number is determined when the manufacturer produces it. IP address modification is convenient, there are many tool software, can easily modify the MAC address, "identity impersonation" relatively easy, the network is not safe.

According to the "Vase Model" trust system of ideas, the user identification, most people adopt the identity authentication technology based on 802.1X protocol (also can be based on the application of identity authentication, can also be based on Cisco's Eou Technology Identity), the purpose is to achieve user account, IP, Mac binding, Confirmation from the computer to the person's confirmation.

The identity authentication mode is through the computer security client software, completes the authentication process of the login network, the MAC address also sends the authentication server through the client software, the concrete process here does not say more.

First, the question of the proposed and requirements

With 802.1x identity authentication, solve the problem of Mac binding, but still can not locate the physical location of the user's computer, because the computer access in which switch on the first few ports, or do not know, the user computer changed the physical location, managers can only through the other network management system to the level of investigation. So, can you bind the switch port with the IP and Mac? So the physical location of the computer is determined.

First of all, this is about the requirements of safety standards:

1 important safety Network, require terminal security to implement mac\ip\ switch port binding

2 for private networks, require unused switch ports to be turned off (not open until not authorized)

Second, the goal of implementing switch port bindings is:

Prevent foreign, unauthorized computers from accessing the network (access to network resources)

When a computer is connected to a network, the security monitoring system can immediately discover the Mac and IP of the computer, as well as the access to the switch port information, and make authentication, which is unauthorized to alarm or terminate the computer's continued access, or prohibit it access to the network of any resources

When there is a security incident, you can navigate to the machine (Mac and IP), navigate to the physical location (switch port), locate the person (user account, name, phone ...) according to the user-bound information.

Second, the implementation of the switch port information binding strategy

According to the security policy of the access switch, the port information binding can be divided into two ways: static mode and dynamic mode

1, Static mode: fixed the location of the computer, only in the preconfigured switch port access, not configured (authorized application) of the network can not be connected.

The static meaning is to turn off the switch MAC address learning function, the computer can only from the network only allowed to access the network, otherwise the switch does not give data forwarding, so as long as the computer login, must be fixed position.

2, Dynamic mode: The computer can randomly access the different ports of the switch, in the network access identity authentication, the dynamic extraction of the computer from the switch port information, dynamically with the Mac, IP and other information binding.

Dynamic means that the security system in the computer access to the network, automatically search the switch port information, of course, this information can only come from the switch, it is not possible to come from the client software.

Third, switch port binding scheme I: Protocol transformation

Standard 802.1X protocol, the switch is responsible for the control of port and data port management, but did not load the port information in the authentication packet, some switch manufacturers extend the 802.1X Protocol (private protocol), adding port information, it is obvious that this scheme belongs to dynamic binding mode.

Main points of the programme:

All Access layer switches should support the private extension protocol (the switch must be the same manufacturer)

Terminal security system server to support Extended authentication protocol (increase switch port)

Advantages and disadvantages of the scheme:

The advantage is that the binding protocol is fully implemented

The disadvantage is that the network switch needs to be a manufacturer, because the private protocol is difficult to exchange, and the terminal security system also needs to be customized