Ethernet LANs need to be protected because they are susceptible to address spoofing and Layer 2 DOS attacks. Fortunately, Port security in Juniper Switches the port security feature allows you to protect the access ports on your device against such attacks.
Juno OS is robust because of the separation of control forwarding and services planes as each function runs in protected memory. On the other hand, the control-plane CPU is safeguarded by rate-limiting, routing policy, and firewall filters. This helps ensure server uptime even when there is a severe attack.
Is It Easy to Add Port Security Features in Juniper Devices?
Yes. The specialized Juniper operating system Juno OS comes with several features for port security on your device. You can categorize your ports as trusted and untrusted and then apply appropriate policies to each category to ensure port protection against various attacks.
All the basic port security features are enabled by default in the device’s configuration. You can use a single Juno OS CLI command to control access port security features such as dynamic address resolution protocol (ARP) inspection, DHCP snooping, and MAC limiting. In short, you can configure additional port security features with minimal configuration steps.
Based on the feature you want to enable, you can configure it either on VLANs or bridge domain interfaces.
What hardware and software security features do Juniper Switches offer?
Some of the hardware and software security features that come with Juniper Networks EX Series Ethernet Switches are:
- Console port
- Out-of-band management
- Software images
- User authentication, authorization, and Accounting
What port security features do Juniper Switches have?
Some of the port security features available with Juniper Networks EX Series Ethernet Switches are:
- DHCP Snooping
- Trusted DHCP Server
- DHCPv6 Snooping and other options
- Dynamic ARP Inspection (DAI)
- IPv6 Neighbor Discovery Inspection
- IP & IPv6 Source Guard
- MAC limiting & MAC move limiting
- Persistent MAC Learning
- Unrestricted & restricted proxy ARP
What kind of protection does Juniper switch port security provide?
Port security features can protect the Juniper Switches against the following attacks:
- Ethernet Switching Table Overflow Attacks – An attacker sends so many requests from new MAC addresses that the table can’t accommodate or learn all addresses.
- Rogue DHCP Server Attacks – An attacker sets up a rogue DHCP server to imitate a legitimate DHCP server on the LAN and issues leases to the network’s DHCP clients to disrupt network access, leading to DOS.
- ARP Spoofing Attacks – An attacker sends fake ARP messages on the network and associates its own MAC address with the IP address of a network device connected to the switch and then the traffic that is intended for that IP address is sent to the attacker.
- DHCP Snooping Database Alteration Attacks – an attacker introduces a DHCP client on one of the switch’s untrusted access interfaces with a MAC address similar to that of the client and acquires the DHCP lease, which ultimately results in changes in the entries in the DHCP snooping table.
- DHCP Starvation Attacks – An attacker floods the Ethernet LAN with DHCP requests from counterfeit MAC addresses so that the switch cannot keep up with requests from legitimate DHCP clients on the switch.
How do I enable port security in Juniper Switches?
Here is how to configure Layer 2 Port Security Features on Ethernet-Connected End Systems:
To Configure Storm Control
- Create a storm control profile and specify the % of the bandwidth available to BUM traffic
- Apply the storm control profile to ingress the Layer 2 interface. When the profile is applied to the interface, the interface stays in the default switch interface.
- Verify storm control activity, you can filter system log messages related to storm control
To Configure Port Security Using MAC Filtering
- Set up a firewall filter for the ingress interface
- Apply this filter to the ingress of an access interface /Layer 2 surface.
- Set up a firewall filter for the egress interface and apply this filter to the egress interface.
- Verify Mac filtering on both ingress and egress interfaces
The above is a brief view of what needs to be done to enable port security. For detailed commands, you can check this link.
For any queries related to the purchase of Juniper switches and Juniper security modules and cards.