The average business network contains cabling infrastructure spanning from a network closet with switches and patch panels. The specifications of the switches used by a business tend to vary depending on the size of the business and the number of systems that need physical network connectivity. Generally, there are always going to be a few switch ports left unused. This presents a security risk, as a nefarious actor could connect a device to an open switchport to gain access. 

Port Security addresses this risk and is present in Cisco switches, although other manufacturers have their own interpretations. Port Security binds a specific device MAC address to a specific port, meaning that any other MAC address will be immediately rejected. There can be more than one MAC address assigned per port, allowing for some degree of flexibility to be maintained. There are three methods for implementing Port Security. 

  1. Static: The appropriate MAC address is manually input into the switch configuration and persists across restarts. 
  2. Dynamic: MAC addresses are dynamically configured during a session and are forgotten during a restart.
  3. Sticky: MAC addresses can be learned either dynamically or manually and configured to persist across restarts. 

While a large majority of businesses are moving towards wireless-dominant infrastructure, there are still bound to be many physically connected network devices. Since switches provide core functionality to network clients, they should be protected from any intrusions that could jeopardize their CIA Triad. Most organizations have wall jacks installed that allow clients to connect devices to network switchports across the facility. If a wall jack is exposed in a publicly accessible area, the risk of unauthorized access heavily increases. Port security should be implemented in such a scenario to lower the risk. 

At a minimum, Port Security should be implemented in network segments that host critical company servers. Since an organization generally can identify every major server it hosts, it should be easy to narrow down access to a few select ports on switches and disable the rest.