How Do You Handle Ethernet Port Management? 133
MTL-Stalker asks: "I am currently investigating the best way to handle Ethernet port management for an organization with over 75,000 Ethernet ports spread out over 700+ sites. I was wondering how members of the Slashdot community are handling this issue in their organizations? Obviously this is as much a business process issue as a technological solution. In today's threat-filled networks, it seems like asking for trouble to rely on a simple switch based 'port enabled/port disabled' methodology. Do you think Cisco-style port security (tying a MAC address to a particular port) or PACLs (port access control lists) are worth the effort? Are products like Cisco Campus Manager or HP OpenView worth the cost and deployment headaches? Do they address your security concerns? How many of you are using homegrown scripting and/or SNMP solutions? How many ports can you effectively manage with these solutions? I would also be interested in knowing what industries these solutions are being implemented in."
My dad's solution (Score:2, Funny)
Re:My dad's solution (Score:5, Insightful)
Huh? (Score:3, Funny)
Re:My dad's solution (Score:1)
If your dad won't forward you any ports for torrent traffic, walk up to your him and say this:
"Hey dad, can I get some ports forwarded to me for bit-torrent please? It looks like a pretty good program, but of course you already know that, I took a peak at the network traffic and found that you were pretty fond of it."
pause
Maybe I should ask mom and see what she thinks?
What about 802.1x security ? (Score:3, Interesting)
802.1x should be combined with some decent endpoint security solution
(see recent Gartner reports on this)
HTH
Marcin
Re:What about 802.1x security ? (Score:5, Informative)
Are yu all/mostly Windows (2000+)?
Look closely at Windows Domain and Server Isolation. It is an IPsec based infrastructure security solution, all managed with existing infrastructure. The IPsec policy agent is on the OS, and policy is easily managed centrally by Active Directory and Group Policy. It really is great - and can interop with other IPsec stacks like Linux and Solaris. The default auth mechanism is Kerberos - but x.509 can be used in parallel for interop. Kerb is dead easy.
If this is even only an 80% solution, it should be explored. There are no hardware costs in most cases, it can be phased in without field visits, and you probably already own it.
http://www.microsoft.com/technet/security/topics/
I wish that one of the big Linux vendors would do something like this with IPsec and OpenLDAP. We have spent years matching the desktop, when developing advanced infrastructure management is where the winning game has moved.
Re:What about 802.1x security ? (Score:3, Interesting)
In general, I advise customers to lock down every port in their network with 802.1x and to provision guest VLANs that are GRE-tunneled to a switch in the DMZ. This segregates all the guest traffic from corp traffic at L2 so the only way for a guest to access local corp server
Re:What about 802.1x security ? (Score:2)
IPsec can do similar at layer 3 - if you don't need layer 2 isolation for non-IPsec devices on the same segments.
Re:What about 802.1x security ? (Score:1)
Re:What about 802.1x security ? (Score:2)
You don't enable 1X on access ports for servers. Your servers should be segregated not only on to a separate VLAN but, in any
Re:What about 802.1x security ? (Score:2)
Re:What about 802.1x security ? (Score:2)
It is encapsulated, with a NULL enc type. You wrapped your packet in another header - like any enc. This one has Keb auth associated with it - and uses RSA/SHA-1 to validate the authentication. There are many more dynamic rules availble to you by policy than 802.1x - which is a simple gatekeeper.
There are issues with some access layer filtering and prioritixation - but not unworkable, depending on your vendor.
QoS will never save your butt from data theft or worm traffic.
You gets some
Re:Your sig (Score:2)
Plame is serious in that regard, but also a footnote on the real crime.
Re:What about 802.1x security ? (Score:2)
I thought that there were at least some people on slashdot that were actu
Re:What about 802.1x security ? (Score:2)
802.1x over Ethernet isn't necessarily secure, to my knowledge.
Take a computer plugged into an 802.1x port. Unplug computer, plug in hub, plug computer into hub, plug laptop into hub, masquerade MAC address.
802.1x over Ethernet can't detect hubs.
Re:What about 802.1x security ? (Score:2)
Re:What about 802.1x security ? (Score:1)
As I mentioned in a previous post, the idea of having to do OS reconfigurations on all the workstations and servers is out of the question in an organization this large. Also legacy equipment like printers, networked photocopi
Guest-Intruder VLAN (Score:5, Informative)
Re:Guest-Intruder VLAN (Score:5, Funny)
You guys always try to do things the hard way. For true ethernet port management just use this [alt-f4.ch].
Re:Guest-Intruder VLAN (Score:1)
Re:Guest-Intruder VLAN (Score:3, Funny)
Re:Guest-Intruder VLAN (Score:2)
Re:Guest-Intruder VLAN (Score:2, Interesting)
I say "almost", since I do have each switch trunk a separate VLAN to each port (to keep them isolated), and I have the switches filter everything except PPPoE. The switches are managed through a physically separate control plane network, where extensive security is in place. Various systems monitor the control plane network in detail, all traffic on that network is reco
Re:Guest-Intruder VLAN (Score:2)
Re:Guest-Intruder VLAN (Score:3, Funny)
No, actually that's just his dad's home network.
Re:Guest-Intruder VLAN (Score:2)
The day will come when devices identify by certificate rather than by MAC, and that will make this architecture firmly secure.
Serious business (Score:4, Funny)
mac security (Score:4, Insightful)
Re:mac security (Score:2)
I wonder how easy it is to find a MAC that is valid for a network? It sounds like you'd already have to have access to the network or a computer that is authorized for the network to get the MAC.
Re:mac security (Score:2)
Re:mac security (Score:2)
Secondly, it's trivial to find a MAC that is valid for a network if you can plug into an *unsecured* port. For example, if you plug in to an ordinar
Incredibly Easy To Discover MAC Addresses (Score:3, Informative)
2) Socially engineer a wireless mac address. Go to
Re:Incredibly Easy To Discover MAC Addresses (Score:2)
Re:mac security (Score:2)
Go to a "friend" / roommate / coworker / public computer and
ipconfig
It sounds like you'd already have to have access to the network or a computer that is authorized for the network to get the MAC.
Obviously anyone who has physical access probably already has legitimate access and just wants to cover their tracks, but many people leave their computers unlocked and/or many networks (especially educational) have public terminals.
Physical security (Score:2)
If you have really good physical security (an intruder can't get to the Ethernet ports) then it sort of obviates this entire discussion -- why bother doing all the obnoxious port security if you can guarantee not letting anyone un-approved get access to an Ethernet port? You wouldn't. Except that you almost certainly can't guarantee that, hence why people are int
Re:mac security (Score:3, Interesting)
Let's go a little further than that:
MAC addresses are not a secure authentication method. It's like asking someone's last name.
Let's say I'm joe blackhat with a laptop:
Re:mac security (Score:2, Insightful)
The question isn't how easy it is to change your MAC address, but rather how easy is it to find out what to change the MAC address to. (I'm not sure it's that much harder, though, assuming a device that's normally plugged in is present so you can snoop on it.)
> I would hope no serious security system relied entirely on that one factor
No serious security system relies on *ANY* one factor.
Tying a MAC address to an ethernet port doesn't solve all security-rela
Re:mac security (Score:4, Insightful)
A huge number of corporate network problems can be solved just by keeping the honest people honest with things like MAC address approval.
Re:mac security (Score:2)
When it does not hand out a lease to everyone, a newly plugged-in laptop will not get an IP adress, will use a 169.254 address, and you block that at your routers and servers.
Re:mac security (Score:1)
RADIUS (Score:4, Interesting)
since RADIUS was originally designed for ISP's managing users it is good dealing with hostile clients and other riffraff as long as you are on a switched network
Too easy... (Score:4, Funny)
Re:Too easy... (Score:2)
Obligatory (Score:1, Funny)
"In which case, I'd use a COMdom"
Feel the karma burn. Ahh but how, -1 Redundant, Offtopic or simply Overrated? Hit me with it.
TLF
Too many ports? (Score:1)
Uh, go wireless? There are a number of wireless options.
(The company I work for has a neat solution, but I am not allowed to talk about it(!!))
Re:Too many ports? (Score:1)
Re:Too many ports? (Score:1)
Re:Too many ports? (Score:2)
Re:Too many ports? (Score:2)
Re:Too many ports? (Score:2)
Good, you wouldn't want to embarrass them. You know, servers can't exactly ride wireless. Where I work, we have more servers than desktops. In fact, we have more servers than employees (tens of thousands). So even if all desktops could use wireless (they can't), you still have 35,000 or so servers to deal with. Managing 35,000 switchports is not much better than 75,000. You still need processes and management software.
Re:Too many ports? (Score:2)
Re:Too many ports? (Score:2)
Re:Too many ports? (Score:2)
Thing is, I've never seen a problem where we've needed doubled-up network cards...
Re:Too many ports? (Score:2)
Re:Too many ports? (Score:1)
(The company I work for has a neat solution, but I am not allowed to talk about it(!!))
So post as AC!
Re:Too many ports? (Score:1)
All these doors and windows are potential entry points into our fortress! How can we manage protecting against unwanted invasions at all those points?
I know, we'll get rid of the walls, and then there won't *be* any doors or windows!
Pro solution (Score:2)
Any employee you might hire to custom make a solution could
die in a traffic accident, or get a new job, or die for some other reason.
You'd be stuck with a one man band application, that other ppl
would have to "fully" comprehend his coding nuances.
The security, stability, and maturity of a professional long term product
is going to help a lot if you are planning for further growth as well.
I'd find out the one that has the highest rating out there
Why? (Score:4, Funny)
Re:Why? (Score:1, Insightful)
Re:Why? (Score:3, Insightful)
Re:Why? (Score:2)
Large networks tend to be much softer once you are inside the firewall. The biggest selling point tends to be preventing a worm or virus from spreading while you get around to patching everyone's PC. But you could also consider that departements tend to install servers for the group, and the security group doesn't make sure it's hardened if it's not in the DMZ and doesn't contain really important data. But even with all that, there's the liability of people doing things from your net
Netdisco (Score:5, Interesting)
When considering how to secure the ports, I think you have to find the balance between security and functionality. If you lock down each MAC to a specific port, how much time will you spend managing it? Whenever there is a connectivity problem, will you have to fight with the other groups assuring them that it isn't the network?
As a final thought, you generally get out of a network management system what you put into it. With a network as large as yours, there isn't a silver bullet to fix all of your problems. Whether you customize, roll your own or use vanilla off the shelf software, you need to figure out what makes the most sense for your business. Good luck. It sounds like you need it.
Netdisco (Score:1, Informative)
http://www.netdisco.org/ [netdisco.org]
Gotta use tools (Score:2, Informative)
It'll help you figure things out a lot easier. It also does a lot of other nifty things that could become useful when you need to expand the network.
Poorly (Score:4, Interesting)
It's not a magic bullet security wise, but it really makes management easy. You want all your engineers in a given VLAN, just assign their MACs to it. Then if one goes to a new office and nobody tells you, doesn't matter the hardware takes care of it for you.
Turn them All on (Score:1, Insightful)
Re:Turn them All on (Score:2)
I would make one proviso. The "Production" Network should be physically isolated. Maybe VLAN would work but I still reckon that production networks belong on different wire and different routers etc. Rogue applications, even when not malicious, should not be able to flood the production network under any ciscumstance.
Re:Turn them All on (Score:4, Insightful)
Your suggestion has merit--turn on the damned ports, let people plug in, and get work done. Lower admin overhead, faster response for the end user, and everyone can get on with their work.
However, you seem to have an attitude problem, and I suspect it takes three days to get you on the network because nobody really gives a shit if they get around to doing your bidding. Doing work for people who believe they know your job better than you do is about as much fun as slicing open veins, and rather less satisfying. MAC address-based port connections may not be the perfect security solution, but they are one powerful layer in a multi-tiered environment, and they're absolutely not a toy. Consider: People bring personal laptops to work, plug in to the LAN, and a virus spreads because the primary virus scanners are at the perimeter firewall. The ENTIRE FUCKING COMPANY is now down for between six and 72 hours. Oh, but that's OK because you didn't have to submit your laptop for scanning, and could start working immediately. Clearly your work is more important than anyone else's in the whole company.
Here's another scenario: A company has a mixed user environment of PCs and Unix workstations. We can declare that every port is enabled, but what ports are enabled on which network? What if the networks are split by division?
Contrary to what your fantasy world might suggest, IT is NOT there to block your progress! They want to get things up and running as fast as possible, and with as little overhead for themselves as feasible. Opening all ports in a moderately large company is neither feasible nor intelligent.
I think that you pretty much defined yourself as a legitimate troll (note: Not your post, but YOU) with this comment:
"I am so tired of the IT group doing huge make work projects in the name of security/scalabilty/Enterprise/CRM/blah blah blah. What a bunch of crap. You know us users out here... We really do have work to get done."
So you have real work to do, but they are a bunch of slackers inventing work because they have nothing better to do.
You, sir (or madam), are an asshole. I predict for you a long and frustrating career of nobody doing what you want, just for the sake of pissing you off. Good riddance.
Re:Turn them All on (Score:1)
Re:Turn them All on (Score:2)
Basically what you're saying is, "well we got poor end-point security, so we need massive cen
Re:Turn them All on (Score:1)
Re:Turn them All on (Score:3, Interesting)
So you have real work to do, but they are a bunch of slackers inventing work because they have nothing better to do. You, sir (or madam), are an asshole.
You make some valid points (although I think I disagree that port management is a reasonable solution if there are serious usability tradeoffs) but I think you've gone a bit too far with the above. In large organizations such as the user is describing, it is often the case that the stated mission of a particular department does not actually have anything
Re:Turn them All on (Score:2)
Re:Turn them All on (Score:2)
Give each computer it's own preconfigured firewall.
As well as a copy of AVG.
your viruses that spread through the company will mostly begone.
Granted I deal with a small network 200, but the systems have never been all down at once. Ever.
Re:Turn them All on (Score:2)
Re:Turn them All on (Score:2)
How do you support vendors? (Score:3, Interesting)
Re:How do you support vendors? (Score:2)
Too much work... (Score:1)
Good maps and schematics... (Score:4, Informative)
As for what connects where, well, that needs to be part of your asset management system to be really effective. Some type of database which contains records for each class of object (like computers, servers, switches, routers, etc., which also has fields for location and network port connectivity. Obviously you would want a relational style database, with one to many relationships for network connectivity since you may have multiple network interfaces on different devices. Now the hard part, actually making this part of your processes. You need to have this updated, and really the best way is to make sure that people have to go through the process in order to get on the network. What this means is that you absolutely must use something like "port security". If regular people can move a system from one location to another and just disconnect one device and connect this one and it works, you will never be able to keep any tracking/management system up-to-date. It will be up-to-date for a whole 5 minutes after you do an inventory of that cube/office/location before someone somewhere decides that they are taking over the room down the hall because it is closer to the window, or is next to the exit...
I can't state that enough, you need to FORCE EVERYONE TO USE THE SYSTEM. If one person doesn't use it, then everything he/she does will be under the radar and not detected which makes having such a system pointless because it doesn't contain valid data, and you might as well have done "/dev/random > my_network_layout".
Re:Good maps and schematics... (Score:2)
Also, the file should end in
75k ports (Score:2, Funny)
Specialized VLAN Management (Score:1)
That way, your users are free to roam t
Re:Specialized VLAN Management (Score:1)
No clear cut solution (Score:2)
Re:No clear cut solution (Score:1)
Re:No clear cut solution (Score:2)
with that said tho... even with all the security of Wireless, I think a hardened wired network will always be more secure then a hardened wireless network (simple differences of the Physical Layer
ONA - Open Network Administrator (Score:2, Informative)
http://ona.uwaterloo.ca/ [uwaterloo.ca]
Universities (Score:1)
simple (Score:4, Funny)
Great securitywise but kinda limits future expanding.
Re:simple (Score:1)
This actually would solve the problem. All somebody needs to do bring along a little four port hub and plug that into one of the existing valid ports and plug in what ever they want into small hub. Especially with 700+ location, it is highly unlikely that all of the existing ports are going to be check by security for unauthorized hubs.
You're probably going to say, epoxy in the existing cables as well. But then I would just cut the cable and crimp on new plugs.
Re:simple (Score:2)
Re:simple (Score:2)
Re:simple (Score:2)
Migration path: manual-scripted-RADIUS-802.1x (Score:4, Informative)
Our short term solution is to standup a RADIUS server and use it for port-security. This isn't quite as good as 802.1x, but provides the same level of scalability without going as much in-depth. You bascially have your switches (assuming they have this ability) check the radius server for allowed MACs. This works the same as the MAC ACLs, but is centrally managed. We haven't gotten that far yet either, as we didn't have a RADIUS server. (more stupid regulations that make that a headache)
So, the current process is to manually change the MAC address on each port on each switch. We initially turn on port-security on the switches, and for the newer ones (Cisco 3550/3560/3750) once we determine that all the users are on that need to be on, we drop all other ports into a dead-end VLAN that has no access. The remaining ports we drop into our data vlan (we also have dedicated vlans for voice, wireless, video, and infrastructure management). Once we've established that, we secure the MACs to the ports. All port security violations are logged to a syslog server and the switches are set to restrict access. This prevents useless work of re-opening ports when some user decides to plug-in their home machine to download the latest Linux ISOs or torrents. For further changes (i.e. when a new machine gets put on the network), a call is made to the helpdesk which routes the ticket to the networking team (that's me) and I unlock the port. We then have to notify the security team, which scans the machine for vulnerabilities and applies patches as needed. After that, it is managed by WSUS and SMS.
Now this sounds very tedious, but it isn't that difficult to manage. For the last 2 months, I managed all port security by myself, as well as down network links, some remote office firewalls, and new switch installs. Port security helpdesk tickets were typically closed within 2 hours of the request (assuming the helpdesk tells me about them). As a bonus, and because I'm lazy, I wrote some scripts for WSH that will connect to a switch, get a listing of all port-security information, compare it to DHCP leases on Windows servers, and output a table that shows which host is on which port. I also expanded this for use on WAN links where it will recursively access all switches at a site, stopping when it reaches a router and display the same information on a per-switch basis. A pretty handy report. Useful for telling you which hosts aren't using DHCP (so you can ensure they belong there). The only real requirements for this to work are that the switches use CDP on infrastructure links and they support ssh. You also have to have a CLI ssh client that supports putting the password on the command line (or certificate based auth if you can set that up, I don't think Cisco devices support it, although I think kerberos works
that's just 100 ports per site (Score:1)
Go back to basics, think about one subnet at a time. If you can't trust that no rogue machine will be connected to that net, don't run insecure protocols over it.
NetDisco (Score:1)
If your network infrastructure supports SNMP pretty much all the way, this tool is pretty rad.
Re:Your Mom's Solution to Port Mgmt (Score:2)
AHAHAHA HAHA HAH
... is what I would be saying if I were 12-15 years old.
Re:Your Mom's Solution to Port Mgmt (Score:1)
802.1X attack (Score:2, Interesting)
Now, this is definitely a deliberate attack (not an innocuous vendor just plugging in their laptop to check their email) but it is possible.
(You insert a hub between a legit computer and a legit switch port. You connect your attacking computer to the same hub, configure your attacking computer to have the same MAC, wait for the legit computer to au