Exam CS0-002 topic 1 question 135 discussion

A. Implement port security with one MAC address per network port of the switch: Port security restricts access to a specific MAC address on a network port. This solution is relatively straightforward to implement and manage. It provides a level of security by ensuring that only devices with approved MAC addresses can connect to the network through a specific port. It is less likely to cause issues during the deployment phase compared to more complex solutions.

Port security with only 1 MAC does not mean this address would be licit. I can connect a bogus device in a switch port and this device will be allowed as far as my device uses this 1 MAC. For those who say that static mac is easy to configure, just think about a 48 port switch in a DC with 100 switches.

ChatGPT The best solution for implementing a new network configuration on an existing network access layer to prevent possible physical attacks while causing fewer issues during the deployment phase would be: A. Implement port security with one MAC address per network port of the switch. This option is a straightforward and effective way to enhance network security by allowing only specific devices (based on their MAC addresses) to connect to network ports. It's relatively easy to implement and manage, and it doesn't introduce complex network changes that might cause issues during deployment. Additionally, it's a good measure against physical attacks, as it ensures that only authorized devices can connect to the network.

Can't the attacker spoof the MAC address?

"to prevent possible physical attacks"

Implementing port security will help prevent unauthorized access to the network by limiting the number of MAC addresses that can be associated with each network port. This solution is easy to deploy and does not require significant changes to the network topology. It is also less likely to cause issues during the deployment phase compared to other options.

A. Only because it mentions "cause fewer issues to implement". With that being said. Port security is easier to implement with less issues. 802.1x and EAPOL fits the bill as well, to only allow authenticated devices/users access to the network. They device will be in a state of restriction until it passes, however, it will be a bit more difficult to implement which may cause some issues.

802.1X and EAPOL will prevent a device from connecting to the network (via Ethernet) until user is successfully authenticated. Port security feature can be set to only allow one specific MAC address and/or limit the number of devices/MAC address through the port. Option A is suggesting to just limit the number of machines connected to each port to just one, which really isn't a strong security measure against malicious users accessing the network.

Use of authentication and security features such as IEEE 802.1x and access control lists, while an integral part of an organization's threat defense policies, cannot prevent the Layer 2 security attacks. Port Security is a dynamic feature that can be used to limit and identify the MAC addresses of the stations that allow access to the same physical port. When an administrator assigns secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. https://www.techtarget.com/searchnetworking/tip/Preventing-Layer-2-security-threats

Implementing 802.1X and EAPOL (Extensible Authentication Protocol over LAN) can help to secure the network by requiring authentication before granting network access. This can prevent unauthorized access to the network and protect it from physical attacks, as only authorized devices will be able to connect to the network. Additionally, 802.1X is a widely used and well-established solution, which means that it is likely to have fewer issues during the deployment phase compared to other, more complex solutions.

Because of "fewer issues during the deployment phase"

both A and C will do the job but the question says prevent possible physical attacks so I have to go wth A

After researching this it has to be C

to prevent possible physical attacks, you need to assign one mac address to each physical port on the switch.

The question requires "prevent possible physical attacks." , so why the answer not A?

It can't be A so it's C.

I don't think A is a good solution. That is, considering that MAC addresses can be spoofed. The secure solution would be C.