Free DISA STIG and SRG Library | Vaulted

V-18566

The switch must only allow a maximum of one registered MAC address per access port.

Finding ID
NET-NAC-031
Rule ID
SV-49133r1_rule
Severity
Cat II
CCE
(None)
Group Title
NET-NAC-031
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Limiting the number of registered MAC addresses on a switch access port can help prevent a CAM table overflow attack. This type of attack lets an attacker exploit the hardware and memory limitations of a switch. If there are enough entries stored in a CAM table before the expiration of other entries, no new entries can be accepted into the CAM table. An attacker will able to flood the switch with mostly invalid MAC addresses until the CAM table’s resources have been depleted. When there are no more resources, the switch has no choice but to flood all ports within the VLAN with all incoming traffic. This happens because the switch cannot find the switch port number for a corresponding MAC address within the CAM table, allowing the switch to become a hub and traffic to be monitored.

Fix Text

Configure the switch to limit the maximum number of registered MAC addresses on each access switch port to one.

Check Content

Review the switch configuration to verify each access port is configured for a single registered MAC address. Configuring port-security on the Cisco switch access port interface will automatically set the maximum number of registered MAC addresses to one. The value will not show up in the configuration of the switch itself. To validate the access port has a maximum value of one for allowable MAC addresses, you must run the following command: Switch# show port-security interface Show Command Example: Switch# port int fa0/1 Port Security :Enabled Port Status :Secure-down Violation Mode :Shutdown Aging Time :0 mins Aging Type :Absolute SecureStatic Address Aging :Disabled Maximum MAC Addresses :1 Some technologies are exempt from requiring a single MAC address per access port; however, restrictions still apply. VoIP or VTC endpoints may provide a PC port so a PC can be connected. Each of the devices will need to be statically assigned to each access port. Another green initiative where a single LAN drop is shared among several devices is called "hot-desking", which is related to conservation of office space and teleworking. Hot-desking is where several people are assigned to work at the same desk at different times, each user with their own PC. In this case, a different MAC address needs to be permitted for each PC that is connecting to the LAN drop in the workspace. Additionally, this workspace could contain a single phone (and possibly desktop VTC endpoint) used by all assignees and the PC port on it might be the connection for their laptop. In this case, it is best not to use sticky port security, but to use a static mapping of authorized devices or implement 802.1x. If this is not a teleworking remote location, this exemption does not apply.

Responsibility

Information Assurance Officer

IA Controls

DCSP-1