Martí Griera (Marti.Griera@uab.es)
Ángel Jarabo (Angel.Jarabo@cc.uab.es)
Maribel Jiménez (Maribel.Jimenez@uab.es)
Juan Antonio Martínez (Juanan.Martinez@uab.es)
Network Department - Servei d’Informàtica
Universitat Autònoma de Barcelona.


Security is an everyday problem for network administrators. Much work has been done in the recent years concerning high-level security. In this paper we describe the work carried out in our campus network in order to provide security at lower levels. We will show that this level of security is, at least, so important as security at higher levels. The main tool used will be the well-known SNMP protocol. Some other aspects as the integration of management protocols with user databases (mainly LDAP) will be explained.


Description of the problem
Whole network ‘anti-sniffing’ securization
Solution for teaching classrooms
Solution for the libraries free-access points
State of implementation
Requirements for the implementation of such a system
Concluding remarks

Description of the problem

The University can be considered a heterogeneous environment with different users and different requirements. This paper shows in detail the issues we have considered in order to implement a global security policy for our campus network. We explain the actions we have taken in order to avoid security holes in the various environments the university has.

These actions are not restricted to a campus environment. Any network with management facilities in its devices is suitable for our design. Our main goal is to develop a vendor-independent solution which can even work in a environment where devices from many vendors coexist. This solution must take maximum profit of the standard SNMP management protocol. In our opinion, powerful features of this protocol are not widely used today, although their use would increase greatly security in today's networks.

To begin with, we explain the work carried out concerning physical security and the access policy to the network resources. We will discuss the policies we implement on the basis of the functional differences on the points where the network is present. We will introduce the concept of ‘authorized points’. For this kind of points we will try to develop a technique to avoid the inherent insecure nature of the Ethernet topologies. In such networks, one machine in a segment can easily see traffic not addressed to it (‘sniffing attacks’). We will implement a solution that is almost ‘port bridging’ without its hardware requirements.

Then we will introduce another type of points. Computers are everyday more important in teaching and educational purposes. Some teachers have their own laptop computer, with an ethernet adapter. This laptop is used to teach classes. These network points at the classrooms are potential security holes. The idea implemented and explained in this paper is an ‘on-demand restricted activation’ based on the integration of authorized identification (LDAP) and network management (SNMP). Only authorized users with authorized machines will be able to use that point.

In addition to teaching, the University means also studying. So we have developed a system for our students to connect their laptops to our network access points in the libraries. Here again, security is a must, but can not restrict the need for the service.

To sum up we will show the exact definition and results of these policies and the technical requirements to implement them.


This project began with the following objectives:

All this points will be achieved working at the lowest network levels. More exactly our work will be carried out with the network management protocol (SNMP) interacting with SNMP-enabled network devices. For user authentication we will use database standard systems. Our implementation works with the lightweight directory access protocol (LDAP), but, as we will show later, other solutions can be easily integrated.

Whole network ‘anti-sniffing’ securization

Our first objective was to avoid the sniffing of the Ethernet shared networks. In fact this problem had been greatly reduced with the switching structure of our campus network and the separation of the critic areas with routing (more exactly our computer classrooms for students). Anyway, we looked for a more ambitious solution, that were independent of the network physical topology.

Our approach is to take advantage of the SNMP network management protocol. Our campus hubs have management capabilities and they have the possibility to secure their ports. With these security capacity we can achieve that only those packets directed to the machine connected to a port are delivered to this port. Technically it’s a masking solution, that makes the packets not addressed to the receiver on a port uninteligible to it.

This policy can be thought as quite simple, but it is really powerful. To begin with, after being implemented no hubs will work on the network without the knowledge of the network managers. A user will not be able to install more than one physical (MAC) address on a secured closet, as the hub will only allow the operation of one of them. So, we achieve a perfect control of our network infrastructure, avoiding the uncontrolled growth of the network.

We can go even further. We can –if it’s necessary- associate a unique port-MAC address relation. This means that a machine can only work where it is supposed to. Furthermore, the system interacts with the network database (obtained also with SNMP) not allowing unauthorized machines to work. For example, we don’t allow a network node to connect if its Ethernet address won’t be able to find an IP address from our dhcp servers.

The operation of the system described above is fully automatic. A set of scripts defines the policies we are to follow. The system generates a conceptual view of the network, on which it operates. So, we have not only a security tool but also a real viewer of the network status.

Solution for teaching classrooms

When we look for a teaching classroom solution, the following points should be considered:

Here the most important point is having a global authentication system. We have tried to follow the current standards and have implemented an LDAP based solution to authenticate our users. Our first idea was a Web-based interface in which the user asks for the service when he needs it. The network point is normally disabled, and when the teacher wants to use it, asks for the service. If the pair user-password is correct, then the hub port will be activated via SNMP. The problem to solve here was the timing policy.

The interface was basically a CGI in which we asked for the MAC address to be authorized, the wiring-closet to use and the time interval (typically a lesson). We generate a log with the people using each point at each time. A graphic view of the system described above would be that in figure 1.

The achieved solution is essentialy correct in terms of security: the user is asked for authentication, we keep a log file with the accesses to the system and the machine can get access to the network perfectly. There is no problem for the authorization of multiple systems in a single point, because up to 36 points can be authorized in our hubs ( this is valid for most network vendors). The basic problem was the timing policy and the need for the users to get authorized every time they wanted to use the system.

Figure 1: First approach for the teaching classrooms solution

In order to avoid the inconveniences while keeping the functionalities, our next approach was to use a trap-policy. We activated the trap functionalities in our SNMP hubs. Whenever a machine tries to connect to one of these points the hub generates a trap. In this trap, the MAC address of the connecting machine is present. A script runs in the background in a trap manager station. When a trap arrives to the trap manager station, it tests whether the MAC address is authorized or not. If it is, immediate authomatic access is allowed. The first authorization of the MAC address must be done as outlined in figure 1. Once done, this MAC gets into the 'MAC authorized' database. We reduce to one the number of accesses to the LDAP directory. Additional requests are managed directly by the trap manager.

Figure 2 shows the global view of the system. For simplicity, the first access to the LDAP directory is not included. This first access works as explained in figure 1.

Fig.2 Final implementation for the teaching classrooms security system solution

Before offering this system, we wondered whether it would mean a high load on the network. A traffic analysis showed that there was no great impact on traffic because of this use of traps.

Solution for the libraries free-access points

Once we have studied the former problem, it can be seen that such a solution would be optimal for the libraries. No additional PC is required for control, but a new problem arises. We have not a LDAP database for our students. We have evaluated using the intelligent identification cards our students have, but that would imply an important development cost.

Because of this, our idea has been to include this functionality as a part of the services offered to the student regarding access to the university network. The implementation consists on a model based on the previous solution but changing the LDAP authentication for a RADIUS one. Thus, we could use the same database for authenticating users that we have for remote access to our facilities.

There is still one problem left. In the analysis of the teaching classrooms, teachers’ laptops were used. That means that they have a static IP address assigned. This is not possible in this case, because a static IP-Ethernet binding would mean the risk of running out of IP addresses.

The solution has been the definition of a pool of IP address that will be used for the access from these points. This pool will be a DHCP pool, where only authorized Ethernet address will obtain IP addresses. This feature is available in most implementations of the DHCP servers. When the user of the service (typically pupils) asks for it for the first time, he should give the MAC address he is to use for his connection to the network. Moreover, this approach gives us additional security control, because we know that an IP address of this pool is connected to a network free access point, making it easily locatable.

State of implementation

Up to now, we have described the ideas of our low-level security project. We have also implemented them. More exactly:

The most important achievements are: Requirements for the implementation of such a system

In our opinion, the system described is not only powerful in terms of security, but also of low-constraints. The basic requirements are:

Concluding remarks

To sum up we can state that the system described gives two important functionalities concerning security. First of all, it makes sniffing impossible. Second, selective activation of network ports is fully operational.

The implantation of the system adds new services to the network. This is a significant point regarding security, because normally, adding security means reducing functionalities. This project is a breakpoint in the classic relation more security-less access capacity.

The system explodes the capacities of the network. Many of us have today powerful networks with extreme powerful management capacities. Nevertheless, not everyone makes use of powerful tools such as SNMP utilities. It must be remarked that the extra functionalities have been added without a complex model and without the additional overhead of other models. The cost is also kept small. 

As a final remark, our mechanisms can integrate perfectly with other higher-level security applications. In fact, they complement themselves perfectly and a good security policy must consider both. We don’t think of reducing classic mechanisms, but instead we try to add new security functions to the network where the classic approach fails.


[1]: D.J.Hughes,Wu Z.D. , Minerva- An Event Based Model for Extensible Network Management. Proceedings INET 93
[2]: Michael L.Kornegay. Toward Useful ans Standarized SNMP Management Applications. The Simple Times.
[3]: David T.Perkins. Understanding SNMP MIBs.
[4]: Carlos Picoto,Pedro Veiga. Management of a WWW Server using SNMP. Proceedings JENC6
[5]: J.Case,M.Fedor,M.Schoffstall,J.Davin. RFC 1157: A Simple Network Management Protocol (SNMP)
[6] : P. Roca. Control de acceso a las aulas informatizadas de la UAB. RedIRIS network magazine nº 41-42.
[7]: Marshall T.Rose. Management Information Base for Network Management of TCP/IP-based Internets:MIB-II. RFC 1213
[8]: W.Stallings. SNMP,SNMPv2 and CMIP: The Practical Guide to Network Management Standards.
[9]: M.Wahl,T.Howes,S.Kille. RFC 2251: Lightwight Directory Access Protocol (version 3).