Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

How Do You Handle Ethernet Port Management? 133

MTL-Stalker asks: "I am currently investigating the best way to handle Ethernet port management for an organization with over 75,000 Ethernet ports spread out over 700+ sites. I was wondering how members of the Slashdot community are handling this issue in their organizations? Obviously this is as much a business process issue as a technological solution. In today's threat-filled networks, it seems like asking for trouble to rely on a simple switch based 'port enabled/port disabled' methodology. Do you think Cisco-style port security (tying a MAC address to a particular port) or PACLs (port access control lists) are worth the effort? Are products like Cisco Campus Manager or HP OpenView worth the cost and deployment headaches? Do they address your security concerns? How many of you are using homegrown scripting and/or SNMP solutions? How many ports can you effectively manage with these solutions? I would also be interested in knowing what industries these solutions are being implemented in."
This discussion has been archived. No new comments can be posted.

How Do You Handle Ethernet Port Management?

Comments Filter:
  • He just blocks everything except HTTP/HTTPS and FTP, so I'm stuck using Tor for anything else. >:(
    • by Harry Balls ( 799916 ) * on Thursday July 13, 2006 @08:53PM (#15715888)
      The OP is talking about physical Ethernet ports, not about TCP or UDP ports.
    • Huh? (Score:3, Funny)

      by StarKruzr ( 74642 )
      I don't get it. Your dad does this to your house?
    • You're obviously pretty young, so I think some advice is in order.

      If your dad won't forward you any ports for torrent traffic, walk up to your him and say this:

      "Hey dad, can I get some ports forwarded to me for bit-torrent please? It looks like a pretty good program, but of course you already know that, I took a peak at the network traffic and found that you were pretty fond of it."

      pause

      Maybe I should ask mom and see what she thinks?
  • by CineK ( 55517 ) on Thursday July 13, 2006 @08:55PM (#15715897) Journal
    This way you could tie particular users to their VLANs, not the machines to the ports, which can be quite annoying when a user wants to change his/her desk.

    802.1x should be combined with some decent endpoint security solution
    (see recent Gartner reports on this)

    HTH

    Marcin
    • by Philip K Dickhead ( 906971 ) * <folderol@fancypants.org> on Thursday July 13, 2006 @09:41PM (#15716093) Journal
      VLANs can be a headache too - especially with 802.1x, which requires replacing your existing access layer switches with 802.1x capable ones. You DO get the benefit of integrating your wireless access infrastructure with the copper stuff.

      Are yu all/mostly Windows (2000+)?

      Look closely at Windows Domain and Server Isolation. It is an IPsec based infrastructure security solution, all managed with existing infrastructure. The IPsec policy agent is on the OS, and policy is easily managed centrally by Active Directory and Group Policy. It really is great - and can interop with other IPsec stacks like Linux and Solaris. The default auth mechanism is Kerberos - but x.509 can be used in parallel for interop. Kerb is dead easy.

      If this is even only an 80% solution, it should be explored. There are no hardware costs in most cases, it can be phased in without field visits, and you probably already own it.

      http://www.microsoft.com/technet/security/topics/a rchitectureanddesign/ipsec/default.mspx [microsoft.com]

      I wish that one of the big Linux vendors would do something like this with IPsec and OpenLDAP. We have spent years matching the desktop, when developing advanced infrastructure management is where the winning game has moved.

      • Actually, you do not necessarily have to replace the access layer switches to enjoy dot1x. Placing a dot1x-capable switch upstream that supports mulitple logins on a single port can be an intermediate step and bring most the benefits.

        In general, I advise customers to lock down every port in their network with 802.1x and to provision guest VLANs that are GRE-tunneled to a switch in the DMZ. This segregates all the guest traffic from corp traffic at L2 so the only way for a guest to access local corp server
      • We have been looking at 802.1x for way in the future. The problem is that it's a very heterogeneous environment with literally 100s of switches (core, aggregate & edge) already deployed. How do you get all those old network printers to do 802.1x. Nevermind the fact that going around and re-configuring thousands of servers and desktops is really out of the question. We could recommend upgrades to the core switching fabric but anything that would require upgrades for the edge devices is out of the questi
        • You can deploy the required changes quite easily with AD and SMS. With any network that has 75k access ports you must already have some form of desktop management software in use, such as SMS. If you're running a Windows network then you've surely stepped up to AD by now. 1X can be controlled with group policies. I know that XP has 1X enabled by default. I don't know about 2k.

          You don't enable 1X on access ports for servers. Your servers should be segregated not only on to a separate VLAN but, in any

      • This happens to be a horrible solution. This completely defeats the purposes of Traffic Engineering. Now all traffic is encrypted between IPSec end-points. This eliminated PBR. This eliminates access-layer filtering at L3 and L4. MPLS? What's that? CoS and QoS is effectively defeated as well. If you implement a solution based on this technology then you might was well save yourself some big bucks and start buying dumb switches instead of the entreprise grade gear from one of the big name companies.
        • It is not encrypted.

          It is encapsulated, with a NULL enc type. You wrapped your packet in another header - like any enc. This one has Keb auth associated with it - and uses RSA/SHA-1 to validate the authentication. There are many more dynamic rules availble to you by policy than 802.1x - which is a simple gatekeeper.

          There are issues with some access layer filtering and prioritixation - but not unworkable, depending on your vendor.

          QoS will never save your butt from data theft or worm traffic.

          You gets some
    • I came into this discussion fully expecting to see a nice breakdown of the various merits of 802.1x yet I only see your ONE SINGLE POST that even acknowledges that 802.1x even exists?!?! Not only is it widely supported, it's pretty much the only standard for port based security before you start getting into high level protocol stuff like PPoE or other tunneling protocols. Tying MAC addresses to ports is as ridiculous as it is insecure.

      I thought that there were at least some people on slashdot that were actu
      • 802.1x over Ethernet isn't necessarily secure, to my knowledge.

        Take a computer plugged into an 802.1x port. Unplug computer, plug in hub, plug computer into hub, plug laptop into hub, masquerade MAC address.

        802.1x over Ethernet can't detect hubs.

        • Well any type of 'authenticate then forward' type port control is vulnerable to this sort of thing, and so is simply defining the allowed mac address on a port. A shadow host attack as you have described is certainly possible against 802.1x but the usefulness of such a configuration would be somewhat limited without cooperation from the targeted computer or the ability to disable the target computer after access is granted. It's not as if the shadowed host has full network connectivity; in fact it has far f
      • 802.1x is SLOWLY making it's way into large enterprise deployments. Generally this has started on the wireless side, because most wireless equipment is relatively new and the devices connecting to wireless APs are mostly intelligent devices with software stacks that can support 802.1x.

        As I mentioned in a previous post, the idea of having to do OS reconfigurations on all the workstations and servers is out of the question in an organization this large. Also legacy equipment like printers, networked photocopi
  • Guest-Intruder VLAN (Score:5, Informative)

    by chill ( 34294 ) on Thursday July 13, 2006 @08:56PM (#15715902) Journal
    I've always had good luck with not necessarily tying a MAC to a port, but rather a list of approved MACs. MAC not approved gets automatically shunted to an isolated VLAN. If they bring up a browser all they see is a "welcome guest, call IT" screen. Both Cisco and HP switches can do this.
    • by Anonymous Coward on Thursday July 13, 2006 @09:34PM (#15716057)
      I've always had good luck with not necessarily tying a MAC to a port, but rather a list of approved MACs.


      You guys always try to do things the hard way. For true ethernet port management just use this [alt-f4.ch].
    • by Anonymous Coward
      I skip trying to keep track of MACs (too easy to forge), in fact I skip Ethernet level security almost entirely (too much to keep track of).

      I say "almost", since I do have each switch trunk a separate VLAN to each port (to keep them isolated), and I have the switches filter everything except PPPoE. The switches are managed through a physically separate control plane network, where extensive security is in place. Various systems monitor the control plane network in detail, all traffic on that network is reco
    • Yep, that plus a bit of homegrown SNMP management for the switches and you've got the problem basically under control. Host connectivity is controllable remotely.

      The day will come when devices identify by certificate rather than by MAC, and that will make this architecture firmly secure.

  • by voice_of_all_reason ( 926702 ) on Thursday July 13, 2006 @08:57PM (#15715905)
    The internet: Homework Help for both teenagers and network administrations :)
  • mac security (Score:4, Insightful)

    by v1 ( 525388 ) on Thursday July 13, 2006 @09:02PM (#15715927) Homepage Journal
    Given how easy it is to change your mac address, (I can do this at will on my ethernet AND wireless) I would hope no serious security system relied entirely on that one factor. We have to assume the serious criminals have all the easy angles covered.
    • It can be very easy to change the MAC. The Intel gigabit NICs seem to offer that feature in the PROSET software in Windows, and the OS X driver for same NIC offers it too.

      I wonder how easy it is to find a MAC that is valid for a network? It sounds like you'd already have to have access to the network or a computer that is authorized for the network to get the MAC.
      • Don't forget the social engineering aspect.
      • First of all, basically *any* NIC can have its MAC address changed in software. At least every one that I've *ever* seen. Not having that ability would be a misfeature in my opinion, as it would cause you problems when you changed the NIC in your computer, for example, or with those stupid cable modems that only allow one specific MAC to be connected to them.

        Secondly, it's trivial to find a MAC that is valid for a network if you can plug into an *unsecured* port. For example, if you plug in to an ordinar
      • 1) Visually inspect one known-good piece of equipment. At my organization, for reasons which are beyond me, they're printed on every laptop (along with my username and static IP address). They're also frequently printed on the physical network card. So if a computer is in a physically non-secure location (guest-accessible computer, laptop stolen, laptop taken in for repairs by Geek Squad instead of IT, laptop taken home, etc etc) thats a vulnerability.

        2) Socially engineer a wireless mac address. Go to
        • This is why you don't rely on simple implicit authorization (MAC) for granting network access but instead force your users to VPN deeper into the network to gain access to anything over the wireless network. This brings back authentication and once again gives you authorization controls on a per user basis. Frankly it doesn't matter if your WEP keys (yes, I'm kidding, but then again I'm also serious) are compromised because the VPN tunnel protects all the sensitive traffic. It's a slick solution.
      • I wonder how easy it is to find a MAC that is valid for a network?

        Go to a "friend" / roommate / coworker / public computer and

        ipconfig /all

        It sounds like you'd already have to have access to the network or a computer that is authorized for the network to get the MAC.

        Obviously anyone who has physical access probably already has legitimate access and just wants to cover their tracks, but many people leave their computers unlocked and/or many networks (especially educational) have public terminals.
        • In this situation since we're talking about the security of physical internet ports, that an intruder can access them in person is sort of assumed.

          If you have really good physical security (an intruder can't get to the Ethernet ports) then it sort of obviates this entire discussion -- why bother doing all the obnoxious port security if you can guarantee not letting anyone un-approved get access to an Ethernet port? You wouldn't. Except that you almost certainly can't guarantee that, hence why people are int
    • Re:mac security (Score:3, Interesting)

      by theLOUDroom ( 556455 )
      Given how easy it is to change your mac address, (I can do this at will on my ethernet AND wireless) I would hope no serious security system relied entirely on that one factor. We have to assume the serious criminals have all the easy angles covered.

      Let's go a little further than that:
      MAC addresses are not a secure authentication method. It's like asking someone's last name.

      Let's say I'm joe blackhat with a laptop:
      1. I unplug a PC
      2. I plug that ethernet cable into my laptop.
      3. It grabs the mac address of
    • Re:mac security (Score:2, Insightful)

      by jonadab ( 583620 )
      Given how easy it is to change your mac address

      The question isn't how easy it is to change your MAC address, but rather how easy is it to find out what to change the MAC address to. (I'm not sure it's that much harder, though, assuming a device that's normally plugged in is present so you can snoop on it.)

      > I would hope no serious security system relied entirely on that one factor

      No serious security system relies on *ANY* one factor.

      Tying a MAC address to an ethernet port doesn't solve all security-rela
    • Re:mac security (Score:4, Insightful)

      by Alioth ( 221270 ) <no@spam> on Friday July 14, 2006 @09:36AM (#15718284) Journal
      A large proportion of break-ins (particularly malware type break-ins) are not due to malice: quite often they are because a contractor/employee brought in their personal malware infested laptop and saw fit to connect it to the corporate network. Nearly all the problems I've seen on company networks are not due to malice but due to people doing silly things like this.

      A huge number of corporate network problems can be solved just by keeping the honest people honest with things like MAC address approval.
      • You can also mostly solve that problem with some access control in your DHCP server.
        When it does not hand out a lease to everyone, a newly plugged-in laptop will not get an IP adress, will use a 169.254 address, and you block that at your routers and servers.
    • sure changing the MAC address is easy, but if you're using the "STICKY" MAC functions on your Cisco Switches, changing the MAC will result in loss of connectivity. Once your user plugs their workstation into the jack, they workstation's MAC is paired to that port. If down the road, you need to replace the workstation/and/or/NIC, you'll have to clear the "STICKY" MAC on that port and pair them.
  • RADIUS (Score:4, Interesting)

    by Lehk228 ( 705449 ) on Thursday July 13, 2006 @09:23PM (#15716004) Journal
    i would suggest using a RADIUS login to manage user access

    since RADIUS was originally designed for ISP's managing users it is good dealing with hostile clients and other riffraff as long as you are on a switched network
  • Too easy... (Score:4, Funny)

    by creimer ( 824291 ) on Thursday July 13, 2006 @09:35PM (#15716063) Homepage
    One port at a time! The best part is that you don't need to be an MCSE tech to figure that one out.
  • "I read it as Ethernet Porn Management"

    "In which case, I'd use a COMdom"

    Feel the karma burn. Ahh but how, -1 Redundant, Offtopic or simply Overrated? Hit me with it.

    TLF
  • I am currently investigating the best way to handle Ethernet port management for an organization with over 75,000 Ethernet ports spread out over 700+ sites.

    Uh, go wireless? There are a number of wireless options.

    (The company I work for has a neat solution, but I am not allowed to talk about it(!!))
    • Not sure that's even an option. I don't think most commercial wireless AP's handle more than 15-20 people at once without a slowdown, and even if you stager to fill all 15 channels, the wireless traffic will just drive everything to a crawl. It also doesn't help if everyone is using WPA2, I don't know of many reviews on how well an AP can handle the encryption traffic.
      • Also, a 2.4ghz (b/g) or 5.8ghz (a) signal with any kind of strength can be an instant wifi killer. Wireless home phones, microwaves, or just another access point. my $0.02
    • And too bad that wireless network is a shared, half duplex network. Get much more then 20-40 systems that are in a closed area (like, I don't know, any standard cube farm) and your network just ground to a halt. Heck we hit limits of G networks in a laptop equiped presentation room with only 30 people in it. It seemed that a virus was going around at the time and the laptops needed to get a patch on boot up, which is not an uncommon event in a corporate environment. Well needless to say not a single laptop
      • Wrong. Wireless can be made to scale well if properly designed. I know that Cisco had a system installed at the MS main campus that supported hundreds of people in a conference room connected and watching fairly high bandwidth content.
    • (The company I work for has a neat solution, but I am not allowed to talk about it(!!))

      Good, you wouldn't want to embarrass them. You know, servers can't exactly ride wireless. Where I work, we have more servers than desktops. In fact, we have more servers than employees (tens of thousands). So even if all desktops could use wireless (they can't), you still have 35,000 or so servers to deal with. Managing 35,000 switchports is not much better than 75,000. You still need processes and management software.
    • (The company I work for has a neat solution, but I am not allowed to talk about it(!!))

      So post as AC!

    • > Uh, go wireless?

      All these doors and windows are potential entry points into our fortress! How can we manage protecting against unwanted invasions at all those points?

      I know, we'll get rid of the walls, and then there won't *be* any doors or windows!
  • I'd recommend a pro solution, as they are not going to go away.

    Any employee you might hire to custom make a solution could
    die in a traffic accident, or get a new job, or die for some other reason.

    You'd be stuck with a one man band application, that other ppl
    would have to "fully" comprehend his coding nuances.

    The security, stability, and maturity of a professional long term product
    is going to help a lot if you are planning for further growth as well.

    I'd find out the one that has the highest rating out there
  • Why? (Score:4, Funny)

    by Dolda2000 ( 759023 ) <fredrik.dolda2000@com> on Thursday July 13, 2006 @09:40PM (#15716088) Homepage
    I'm not exactly in charge of any large area networks, so I'm probably just ignorant, but why would you want to limit physical Ethernet access to begin with? All your actual services are properly authenticated, aren't they? Is it for DoS prevention or proactive security or something completely else?
    • Re:Why? (Score:1, Insightful)

      by Anonymous Coward
      I agree. I have to manage almost 10000 ports by myself. If I tried to turn on MAC filtering or even maintain a list of approved MAC addresses, then I would spend all of my time managing that list. What I would gain would be very little.

      • Re:Why? (Score:3, Insightful)

        by Intron ( 870560 )
        The one thing you might do is watch the traffic for MAC addresses that contain the manufacturer id for Linksys, NetGear, etc. to find unauthorized WAPs.
    • B: Proactive Security

      Large networks tend to be much softer once you are inside the firewall. The biggest selling point tends to be preventing a worm or virus from spreading while you get around to patching everyone's PC. But you could also consider that departements tend to install servers for the group, and the security group doesn't make sure it's hardened if it's not in the DMZ and doesn't contain really important data. But even with all that, there's the liability of people doing things from your net
  • Netdisco (Score:5, Interesting)

    by arnie_apesacrappin ( 200185 ) on Thursday July 13, 2006 @09:50PM (#15716133)
    As far as port management goes, you may want to look at Netdisco [netdisco.org]. If I recall correctly, UC Santa Cruz was using it to manage about 20K ports. It's open source, so you so should be able to customize it for your environment. I haven't run it personally, but the demo looks impressive.

    When considering how to secure the ports, I think you have to find the balance between security and functionality. If you lock down each MAC to a specific port, how much time will you spend managing it? Whenever there is a connectivity problem, will you have to fight with the other groups assuring them that it isn't the network?

    As a final thought, you generally get out of a network management system what you put into it. With a network as large as yours, there isn't a silver bullet to fix all of your problems. Whether you customize, roll your own or use vanilla off the shelf software, you need to figure out what makes the most sense for your business. Good luck. It sounds like you need it.

  • Netdisco (Score:1, Informative)

    by Anonymous Coward
    Netdisco is an open source switch management solution. Shows you MAC, IP and NetBIOS information per port, draws graphs and allows you to change VLANs and enable/disable ports with logging.

    http://www.netdisco.org/ [netdisco.org]

  • Gotta use tools (Score:2, Informative)

    by StarWreck ( 695075 )
    With big jobs you have no choice but to use some highly specialized tools. It sounds like the Testum Network Management [outpost.com] Tool would be useful.

    It'll help you figure things out a lot easier. It also does a lot of other nifty things that could become useful when you need to expand the network.
  • Poorly (Score:4, Interesting)

    by Sycraft-fu ( 314770 ) on Thursday July 13, 2006 @10:05PM (#15716215)
    Well, that's the truth for our orignization. You don't want ot know how we do it. What you should look at for that scale, is probably dynamic VLANs. Cisco has good solutions, I'm sure you can find vendor neutral ones as well, but I'm the kind of guy who will push a Cisco solution in general. At any rate the basic idea is that when soemthing gets connected it's MAC is checked and then a VLAN is assigned to the port based on it. So no matter where a computer is connected, it's in the same area network and security wise. This also means that unauthorized computers can be put in a nothing VLAN with no access.

    It's not a magic bullet security wise, but it really makes management easy. You want all your engineers in a given VLAN, just assign their MACs to it. Then if one goes to a new office and nobody tells you, doesn't matter the hardware takes care of it for you.
  • Turn them All on (Score:1, Insightful)

    by Ada_Rules ( 260218 )
    This is going to read like a troll..especially given all the IT support people out there...but oh well. Turn on all the freaking ports and get back to the support desk so someone is there when I call. I am so tired of the IT group doing huge make work projects in the name of security/scalabilty/Enterprise/CRM/blah blah blah. What a bunch of crap. You know us users out here... We really do have work to get done. I am sorry we are using the computers, storing files on the disks and want the Ethernet ports
    • Amen. IT Hinderance would be a better description than IT Support in most of the places I have dealt with.

      I would make one proviso. The "Production" Network should be physically isolated. Maybe VLAN would work but I still reckon that production networks belong on different wire and different routers etc. Rogue applications, even when not malicious, should not be able to flood the production network under any ciscumstance.
    • by swordgeek ( 112599 ) on Friday July 14, 2006 @12:20AM (#15716818) Journal
      My choices here were to mod you down, or to reply. I'm chosing the high road, I think.

      Your suggestion has merit--turn on the damned ports, let people plug in, and get work done. Lower admin overhead, faster response for the end user, and everyone can get on with their work.

      However, you seem to have an attitude problem, and I suspect it takes three days to get you on the network because nobody really gives a shit if they get around to doing your bidding. Doing work for people who believe they know your job better than you do is about as much fun as slicing open veins, and rather less satisfying. MAC address-based port connections may not be the perfect security solution, but they are one powerful layer in a multi-tiered environment, and they're absolutely not a toy. Consider: People bring personal laptops to work, plug in to the LAN, and a virus spreads because the primary virus scanners are at the perimeter firewall. The ENTIRE FUCKING COMPANY is now down for between six and 72 hours. Oh, but that's OK because you didn't have to submit your laptop for scanning, and could start working immediately. Clearly your work is more important than anyone else's in the whole company.

      Here's another scenario: A company has a mixed user environment of PCs and Unix workstations. We can declare that every port is enabled, but what ports are enabled on which network? What if the networks are split by division?

      Contrary to what your fantasy world might suggest, IT is NOT there to block your progress! They want to get things up and running as fast as possible, and with as little overhead for themselves as feasible. Opening all ports in a moderately large company is neither feasible nor intelligent.

      I think that you pretty much defined yourself as a legitimate troll (note: Not your post, but YOU) with this comment:

      "I am so tired of the IT group doing huge make work projects in the name of security/scalabilty/Enterprise/CRM/blah blah blah. What a bunch of crap. You know us users out here... We really do have work to get done."

      So you have real work to do, but they are a bunch of slackers inventing work because they have nothing better to do.

      You, sir (or madam), are an asshole. I predict for you a long and frustrating career of nobody doing what you want, just for the sake of pissing you off. Good riddance.
      • You, sir, are absolutely correct. I am saddened that I don't have mod points to counter the 'flamebait' someone modded you as.
      • Consider: People bring personal laptops to work, plug in to the LAN, and a virus spreads because the primary virus scanners are at the perimeter firewall. The ENTIRE FUCKING COMPANY is now down for between six and 72 hours. Oh, but that's OK because you didn't have to submit your laptop for scanning, and could start working immediately. Clearly your work is more important than anyone else's in the whole company.

        Basically what you're saying is, "well we got poor end-point security, so we need massive cen

        • Basically what you're saying is "protect the users machines because they are more important than the ones that control the services they rely on". The Internet hums along despite the issues? You've never heard of Melissa, Blaster or ILoveYou? And you're saying there is no intelligence in the infrastructure? So the global, load balanced, DNS system is a trivial part of the network and the Internet would be just fine if there was no security surrounding the root servers? The internet works because of the secu
      • So you have real work to do, but they are a bunch of slackers inventing work because they have nothing better to do. You, sir (or madam), are an asshole.

        You make some valid points (although I think I disagree that port management is a reasonable solution if there are serious usability tradeoffs) but I think you've gone a bit too far with the above. In large organizations such as the user is describing, it is often the case that the stated mission of a particular department does not actually have anything

      • I work for a rather large company where different types of traffic on the net are VLAN isolated. We have all the ports enabled. We also have a very mobile work force. People come and go all the time from site to site. We even have stations that are public offices where people from different sites can come in and use. They are always hot. We have had virus episodes, and we probably will again. But we also have very strict rules on laptops. We have very strict rules regarding software on all machines.
      • Which is why virus protection should be on the machine.

        Give each computer it's own preconfigured firewall.
        As well as a copy of AVG.

        your viruses that spread through the company will mostly begone.

        Granted I deal with a small network 200, but the systems have never been all down at once. Ever.

      • Ignore them. That kind of answer shows up in every damn discussion about anything sysadmin related, and if you read between the lines what they usually mean is "I'm 14 years old and my school has taken measures to prevent me plugging my own laptop into the network! Boo!"
    • Clearly spoken by someone who has never had to work until 3am cleaning up a network that has been infected by some idiot saleman who thought bringing his personal laptop in from home was a good idea. Obviously anti-virus software goes a long ways..but in sudden outbreaks like Nimda, SQL slammer, and friends...day-zero exploits have to be stopped at the access level and that is only possible when reasonable access control is present along with solid use policies that folks actually adhere to. Sorry if you
  • by bhmit1 ( 2270 ) on Thursday July 13, 2006 @10:23PM (#15716288) Homepage
    Luckily I haven't run into any clients that have gone to port level security, but I'm curious how well I'd be supported by those that have already setup such a system. For those that have already done this, how well do you support consultants and vendors that show up with their own laptops preloaded with all their own tools who need access to important servers? Do we have to wait for a network login (likely a domain account) and install some kind of app? What about the ones who's PCs are configured for another companies network and cannot be changed (e.g. we don't have Admin on our own laptop) or if we show up running Linux? Myself, I have root, but it's on linux. So, being independent, I'm wondering if I should include a clause in my contract to cover environments that lock me out.
    • We support them very well. We have specific ports in all buildings that are "vendor" ports. They are isolated on their own subnets/vlans and have very limited access to services (i.e. proxied connection to the internet, no connection at all to internal intra-net). As for tools to connect to servers, etc., well, the simple truth is, you don't get connection from that system. Viruses, backdoors, spy-ware, etc., are all too much of a security risk to allow any system of unknown configuration to touch your netw
  • Layer 2 Security may make sense on certain segments, such as Internet edge or server switch blocks, but when it comes to user segments, don't even bother. Leave them all open and implement your security on a level that is more manageable than layer 2!
  • by Fallen Kell ( 165468 ) on Thursday July 13, 2006 @10:56PM (#15716431)
    Well, first thing you want to have are good site network layouts in a CAD program, preferably done in scale. Do not worry about every single wire (it is nice though at least for the pulls from the floor to the closet's patch panels) but get the major items, devices, and closet feeds.

    As for what connects where, well, that needs to be part of your asset management system to be really effective. Some type of database which contains records for each class of object (like computers, servers, switches, routers, etc., which also has fields for location and network port connectivity. Obviously you would want a relational style database, with one to many relationships for network connectivity since you may have multiple network interfaces on different devices. Now the hard part, actually making this part of your processes. You need to have this updated, and really the best way is to make sure that people have to go through the process in order to get on the network. What this means is that you absolutely must use something like "port security". If regular people can move a system from one location to another and just disconnect one device and connect this one and it works, you will never be able to keep any tracking/management system up-to-date. It will be up-to-date for a whole 5 minutes after you do an inventory of that cube/office/location before someone somewhere decides that they are taking over the room down the hall because it is closer to the window, or is next to the exit...

    I can't state that enough, you need to FORCE EVERYONE TO USE THE SYSTEM. If one person doesn't use it, then everything he/she does will be under the radar and not detected which makes having such a system pointless because it doesn't contain valid data, and you might as well have done "/dev/random > my_network_layout".
    • You forgot that /dev/random blocks rather quickly. /dev/urandom would much more rapidly yield a file large enough to potentially contain his 700+ site network.

      Also, the file should end in .vsd for easier opening by colleagues.
  • 75k ports (Score:2, Funny)

    by bockafer ( 920749 )
    They are all on VLAN 1 aren't they?
  • When I was training for my CCNA, they were telling us that most people use static port-based VLAN membership these days for corporate networks because it reduces overhead. I, on the other hand, was a big proponent of dynamic VLANs because of the extra security added. All that would be needed is to hire a couple people that, when a new NIC or laptop comes into the company and passes through your department, they add the MAC address to the database and assign it a VLAN.

    That way, your users are free to roam t
  • I work for a large organization (thousands of users of hundreds of sites) and manage about 2000 users worth myself. Without going into too much detail I dont think we found the magic bullet. CiscoWorks and Optivity (ESPECIALLY OPTIVITY) are frankly POS systems, at least in our situation. MAC Address is an option, but it's far from 100%, and requires pinpoint inventory of every device on / will be on / surplused (good look with the last one) equipment. Wireless is NOT an option, from both speed and secur
    • We use 802.11a wireless where I work, and it is actually more secure than our wired network. (see newer post about specifics of our solution) The Wi-Fi network is first secured on Layer 2 using a shared secret and then being authorized by a central access server. It is then secured on layer 3 using WPA2. Our traffic on the wired network isn't encrypted at all, so I see that as less secure, as an eays MAC spoofing grants you access. On the wireless, connections between wireless devices is explicity deni
      • I have no doubt that WiFi can be incredibly secure, and even in our case would work, but our security folks redefine paranoia to the point of stupid (for example, instead of going with VLAN, they forced us into seperate physical hardware units.... which at the router seperates the traffic on VLANs anyways grrr!)

        with that said tho... even with all the security of Wireless, I think a hardened wired network will always be more secure then a hardened wireless network (simple differences of the Physical Layer
  • You might want to check out ONA - Open Network Administrator from Bruce Campbell at U of Waterloo. And his paper from the LISA 2005 conference.
    http://ona.uwaterloo.ca/ [uwaterloo.ca]
  • Now i must confess that i dont manage huge networks, and im going out on a limb. At the two universities i've been to, both manage their ports and wireless together with either having a certificate on the computer (not sure which method that is) and also by doing temporary access with a user/pass combo tied to all the other services. Im not sure which technologies they're using but its entirely seamless and extremely easy since if you're supposed to be there you already have the id, and if you're always the
  • simple (Score:4, Funny)

    by Keruo ( 771880 ) * on Friday July 14, 2006 @04:05AM (#15717372)
    Use epoxy. Just mix the two compound and fill in un-used ports.
    Great securitywise but kinda limits future expanding.
    • I know that you're being funny, but ....

      This actually would solve the problem. All somebody needs to do bring along a little four port hub and plug that into one of the existing valid ports and plug in what ever they want into small hub. Especially with 700+ location, it is highly unlikely that all of the existing ports are going to be check by security for unauthorized hubs.

      You're probably going to say, epoxy in the existing cables as well. But then I would just cut the cable and crimp on new plugs.

      • OK, escalation, is it? Now I'm replacing all of my ethernet connections with armored cable epoxyed into the wall and the NIC.
        • I'm assuming that you are also pressurizing the air in between the conducters and the armor jacket so that you can tell when I cut a small hole in your armor, right?
  • by kalvyn ( 561263 ) on Friday July 14, 2006 @05:58AM (#15717573)
    I just recently stopped working for a government agency and I was responsible for managing port security on about 6000 ports. Our current end-game solution is to use 802.1x, however due to certain regulations, our agency couldn't operate a CA, so we couldn't feasibly request a new certificate for each host everytime one completes an accreditation process. But we were implementing everything else until we could get there.

    Our short term solution is to standup a RADIUS server and use it for port-security. This isn't quite as good as 802.1x, but provides the same level of scalability without going as much in-depth. You bascially have your switches (assuming they have this ability) check the radius server for allowed MACs. This works the same as the MAC ACLs, but is centrally managed. We haven't gotten that far yet either, as we didn't have a RADIUS server. (more stupid regulations that make that a headache)

    So, the current process is to manually change the MAC address on each port on each switch. We initially turn on port-security on the switches, and for the newer ones (Cisco 3550/3560/3750) once we determine that all the users are on that need to be on, we drop all other ports into a dead-end VLAN that has no access. The remaining ports we drop into our data vlan (we also have dedicated vlans for voice, wireless, video, and infrastructure management). Once we've established that, we secure the MACs to the ports. All port security violations are logged to a syslog server and the switches are set to restrict access. This prevents useless work of re-opening ports when some user decides to plug-in their home machine to download the latest Linux ISOs or torrents. For further changes (i.e. when a new machine gets put on the network), a call is made to the helpdesk which routes the ticket to the networking team (that's me) and I unlock the port. We then have to notify the security team, which scans the machine for vulnerabilities and applies patches as needed. After that, it is managed by WSUS and SMS.

    Now this sounds very tedious, but it isn't that difficult to manage. For the last 2 months, I managed all port security by myself, as well as down network links, some remote office firewalls, and new switch installs. Port security helpdesk tickets were typically closed within 2 hours of the request (assuming the helpdesk tells me about them). As a bonus, and because I'm lazy, I wrote some scripts for WSH that will connect to a switch, get a listing of all port-security information, compare it to DHCP leases on Windows servers, and output a table that shows which host is on which port. I also expanded this for use on WAN links where it will recursively access all switches at a site, stopping when it reaches a router and display the same information on a per-switch basis. A pretty handy report. Useful for telling you which hosts aren't using DHCP (so you can ensure they belong there). The only real requirements for this to work are that the switches use CDP on infrastructure links and they support ssh. You also have to have a CLI ssh client that supports putting the password on the command line (or certificate based auth if you can set that up, I don't think Cisco devices support it, although I think kerberos works :)

  • half of them probably not connected to any switch at a given time. Why do you need to complicate matters by "managing" ALL ports of ALL sites at once? What's there to manage anyway, you don't even have physical access to most of them!

    Go back to basics, think about one subnet at a time. If you can't trust that no rogue machine will be connected to that net, don't run insecure protocols over it.
  • (Link goes to NetDisco.org).

    If your network infrastructure supports SNMP pretty much all the way, this tool is pretty rad.

We can found no scientific discipline, nor a healthy profession on the technical mistakes of the Department of Defense and IBM. -- Edsger Dijkstra

Working...