• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

physical network security

R

rasczak

Lifer
I'm on a project that needs a physical solution to a user accidentally plugging his or her laptop and accessing network resources. I'm very short on the network experience list (as you can tell from a lot of my posts in the sub forum).

What we have is an private network running active directory, so user and computer authentication is one security boundary. However, are there any solutions that would prevent a user from plugging into a wall jack and sniffing around? aside from actually killing the port? I remember a product at one time made by cisco that had port "sensors" where if the MAC address did not match the port would shut off.
 
One bit of caution - Although Port Security may be necessary in some situations, it has the potential to be a PITA to manage.
 
UAC (user access control) is an option on many wireless routers, so only pre-approved MAC addresses can connect. Easily spoofed from what I hear, but it would keep the general user from accidentally connecting. I know Airport offers this, but I'm not sure what else.
 
Dude, you mentioned active directory. So an external computer which is not member of the active directory can not possibly sniff anything as long as other computers don't have the "Share with everyone" enabled on their shared folders.
Further more, the communication between the active directory members among themselves and towards the domain controllers is encrypted so sniffing is not a possibility there.
I can't think of any other way to physically secure the wall jack aside from plugging it out of the switch.
 
AstroGuardian said:
Dude, you mentioned active directory. So an external computer which is not member of the active directory can not possibly sniff anything as long as other computers don't have the "Share with everyone" enabled on their shared folders.
Further more, the communication between the active directory members among themselves and towards the domain controllers is encrypted so sniffing is not a possibility there.
I can't think of any other way to physically secure the wall jack aside from plugging it out of the switch.
Click to expand...

There are other things which an unauthorized device can do which are potentially harmless to a network. Also, there's lots of traffic that can be intercepted even if the device is not part of the AD domain.

To the OP:

You could use NAC if the site is very large, to the point where Port Security is not manageable. If the site is smaller, then Port Security is the easiest way to get this done. You can also configure Port Security to learn the first MAC that's plugged in to the port and only allow that device.

Also, there are a couple of companies that make locking keystone caps which you can use to physically secure an unused jack.
 
NAC - security to the edge. your policy should enforce on the edge switches (to ports) and wifi - mac addresses are stupid easy to forge. need more than that.
 
seepy83 said:
One bit of caution - Although Port Security may be necessary in some situations, it has the potential to be a PITA to manage.
Click to expand...

No potential, its a giant pita to manage unless you are just limiting the number of macs to the port to keep people from plugging in their own network gear
 
AstroGuardian said:
Dude, you mentioned active directory. So an external computer which is not member of the active directory can not possibly sniff anything as long as other computers don't have the "Share with everyone" enabled on their shared folders.
Further more, the communication between the active directory members among themselves and towards the domain controllers is encrypted so sniffing is not a possibility there.
I can't think of any other way to physically secure the wall jack aside from plugging it out of the switch.
Click to expand...

There's a lot more than just AD and SMB traffic on a normal network and a lot of it is going to be unencrypted. And if they can plug in and get an IP they can gather usernames, bruteforce passwords, DoS systems, etc.
 
AstroGuardian said:
Dude, you mentioned active directory. So an external computer which is not member of the active directory can not possibly sniff anything as long as other computers don't have the "Share with everyone" enabled on their shared folders.
Further more, the communication between the active directory members among themselves and towards the domain controllers is encrypted so sniffing is not a possibility there.
I can't think of any other way to physically secure the wall jack aside from plugging it out of the switch.
Click to expand...

I cant even begin to start explaining how wrong this is
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top