Title

Forescout switch module must only allow a maximum of one registered MAC address per access port. This is required for compliance with C2C Step 4. (Cat II impact)

Discussion

Limiting the number of MAC addresses that can access from the same switch access port can help prevent a CAM table overflow attack. This type of attack lets an attacker exploit the hardware and memory limitations of a switch. If there are enough entries stored in a CAM table before the expiration of other entries, no new entries can be accepted into the CAM table. An attacker will be able to flood the switch with mostly invalid MAC addresses until the CAM table’s resources have been depleted. When there are no more resources, the switch has no choice but to flood all ports within the VLAN with all incoming traffic. This happens because the switch cannot find the switch port number for a corresponding MAC address within the CAM table, allowing the switch to become a hub and traffic to be monitored. Some technologies are exempt from requiring a single MAC address per access port; however, restrictions still apply. VoIP or VTC endpoints may provide a PC port so a PC can be connected. Each of the devices will need to be statically assigned to each access port. Hot-desking is where several people are assigned to work at the same desk at different times, each user with their own PC. In this case, a different MAC address needs to be permitted for each PC that is connecting to the LAN drop in the workspace. Additionally, this workspace could contain a single phone (and possibly desktop VTC endpoint) used by all assignees, and the PC port on it might be the connection for their laptop. In this case, it is best not to use sticky port security but to use a static mapping of authorized devices. Note: For Forescout, setting the "Maximum connected endpoints per port" to "1" does not prevent multiple MAC addresses from being connected. This setting will cause Forescout to ignore any switch port that has more than "1" MAC address connected. Enable this option to detect endpoints that are connected to the trunk ports of a managed switch. The plugin resolves and displays in the Console the switch properties of these connected endpoints, including the VLAN-related properties Switch Port VLAN, Switch Port VLAN Name, and Switch Port VLAN Change. To use this option, add the uplink port names of the managed switch in the "Don’t learn on port names" field. The plugin ignores learn events for those uplink ports. If needed for use of this option, modify the "Maximum connected endpoints per port" field to increase its value to allow plugin detection of multiple endpoints concurrently connected to the same switch port. The field’s default value is 10 (endpoints). The updated value must reflect the maximum number of endpoints that can be concurrently connected to the same port. This setting may hinder visibility for larger switches.

Check Content

If DOD is not at C2C Step 4 or higher, this is not a finding. Review the switch configuration to verify each access port is configured for a single registered MAC address. 1. Log on to the Forescout UI. 2. Go to Tools >> Options >> Switch >> Permissions >> Advanced. 3. Verify the "Maximum connected endpoints per port" is set to "1". If Forescout switch is not configured to permit a maximum of one registered MAC address per access port, this is a finding.

Fix Text

Forescout has the ability to configure the amount of maximum connected endpoints per port. Allowing only one MAC address per port will break VOIP. Function is handled by the switch. 1. Log on to the Forescout UI. 2. Go to Tools >> Options >> Switch >> Permissions >> Advanced. 3. Set the Maximum connected endpoints per port to one.

Additional Identifiers

Rule ID: SV-233330r1113804_rule

Vulnerability ID: V-233330

Group Title: SRG-NET-000343-NAC-001480

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.