Blocking unauthorized RJ45 access
Happy Hump Day,
As you may (or may not remember) I recently started a new job this monday (thanks again for all of the tips and advice BTW).
Anyways, I have been tasked by my manager to help come up with a solution to block unauthorized RJ45 access to our network in a new building which should be completed by this summer. This buildi ng will house staff and assisted living people (I work in healthcare). We dont want anyone (especially the bene's to access our network)
He has asked me to come up with a solution to prevent this from happening. The only 2 things i can come up are an IDS and a switch which can "sense" this type of access except by then i would think it would too late.
I know where i used to work they had "port locking enabled" where if we did station moves or someone plugged in a laptop it would "lock" the port down until IT came down and "unlocked" it. How is this done and what device would do it? That sounds EXACTLY what I am looking for but google turns up squat
Thanks all in advance
As you may (or may not remember) I recently started a new job this monday (thanks again for all of the tips and advice BTW).
Anyways, I have been tasked by my manager to help come up with a solution to block unauthorized RJ45 access to our network in a new building which should be completed by this summer. This buildi ng will house staff and assisted living people (I work in healthcare). We dont want anyone (especially the bene's to access our network)
He has asked me to come up with a solution to prevent this from happening. The only 2 things i can come up are an IDS and a switch which can "sense" this type of access except by then i would think it would too late.
I know where i used to work they had "port locking enabled" where if we did station moves or someone plugged in a laptop it would "lock" the port down until IT came down and "unlocked" it. How is this done and what device would do it? That sounds EXACTLY what I am looking for but google turns up squat
Thanks all in advance
Mark Twain
“If I cannot drink Bourbon and smoke cigars in Heaven than I shall not go.
“If I cannot drink Bourbon and smoke cigars in Heaven than I shall not go.
Comments
-
shednik Member Posts: 2,005Breadfan wrote:Happy Hump Day,
As you may (or may not remember) I recently started a new job this monday (thanks again for all of the tips and advice BTW).
Anyways, I have been tasked by my manager to help come up with a solution to block unauthorized RJ45 access to our network in a new building which should be completed by this summer. This buildi ng will house staff and assisted living people (I work in healthcare). We dont want anyone (especially the bene's to access our network)
He has asked me to come up with a solution to prevent this from happening. The only 2 things i can come up are an IDS and a switch which can "sense" this type of access except by then i would think it would too late.
I know where i used to work they had "port locking enabled" where if we did station moves or someone plugged in a laptop it would "lock" the port down until IT came down and "unlocked" it. How is this done and what device would do it? That sounds EXACTLY what I am looking for but google turns up squat
Thanks all in advance
What type of switches is you company using?? If cisco i know for a fact you are able to set up port security...Switch# config t Switch(config)# int fa0/1 Switch(config-if)# switchport port-security ? aging Port-security aging commands mac-address Secure mac address maximum Max secure addresses violation Security violation mode
and i've never done this but if you have a syslog server you would be able to log all events...hope this helps i'm not sure on other vendors but i'd venture to guess this can be set up as well. -
Kasor Member Posts: 934 ■■■■□□□□□□Just disconnect the cable from the switch and lock up the room. There is no way your user can get any connection without breaking down the door.Kill All Suffer T "o" ReBorn
-
dtlokee Member Posts: 2,378 ■■■■□□□□□□Another solution that is more secure than port-security would be 802.1x authentication. It requires more configuration but it will ensure no one can connect a computer that you have not allowed. It all depends on what you're looking to do.The only easy day was yesterday!
-
brad- Member Posts: 1,218They're MAC filtering as well. I dont know how big your organization is but if its less than about 100 PC's it may be worth your time.
-
snadam Member Posts: 2,234 ■■■■□□□□□□**** ARE FOR CHUMPS! Don't be a chump! Validate your material with certguard.com search engine
:study: Current 2015 Goals: JNCIP-SEC JNCIS-ENT CCNA-Security -
Pash Member Posts: 1,600 ■■■■■□□□□□dtlokee wrote:Another solution that is more secure than port-security would be 802.1x authentication. It requires more configuration but it will ensure no one can connect a computer that you have not allowed. It all depends on what you're looking to do.
Yup NAC is your best bet. Infact I know a product that doesnt require huge changes to your infrastructure. Ive sent you a PM.DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me. -
Breadfan Member Posts: 282 ■■■□□□□□□□
LOL LOL
I saw that and almost spewed coffee on my new laptop.
and thanks all for the help guysMark Twain
“If I cannot drink Bourbon and smoke cigars in Heaven than I shall not go. -
Ahriakin Member Posts: 1,799 ■■■■■■■■□□MAC Filtering and deliberately disabling ports via the switch management software is the cheapest, NAC is the most versatile and elegant but does require extra time and investment.We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
-
Pash Member Posts: 1,600 ■■■■■□□□□□Ahriakin wrote:MAC Filtering and deliberately disabling ports via the switch management software is the cheapest, NAC is the most versatile and elegant but does require extra time and investment.
Yeh thats all well and good, but you add up the cost of dropping what your doing to mess about on the swtiches every time you need to free up a port....and NAC won't seem that expensive
LOL at the glue thing.DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me. -
Aquabat [banned] Inactive Imported Users Posts: 299dynamik wrote:
i dont get iti herd u leik mudkips lol -
seuss_ssues Member Posts: 629We just disconnect the cable between the patch panel and the switch if a line isnt in use or shouldnt be in use.