Blocking unauthorized RJ45 access

Breadfan

Happy Hump Day,

As you may (or may not remember) I recently started a new job this monday (thanks again for all of the tips and advice BTW).

Anyways, I have been tasked by my manager to help come up with a solution to block unauthorized RJ45 access to our network in a new building which should be completed by this summer. This buildi ng will house staff and assisted living people (I work in healthcare). We dont want anyone (especially the bene's to access our network)

He has asked me to come up with a solution to prevent this from happening. The only 2 things i can come up are an IDS and a switch which can "sense" this type of access except by then i would think it would too late.

I know where i used to work they had "port locking enabled" where if we did station moves or someone plugged in a laptop it would "lock" the port down until IT came down and "unlocked" it. How is this done and what device would do it? That sounds EXACTLY what I am looking for but google turns up squat

Thanks all in advance

shednik

Breadfan wrote:

Happy Hump Day,

As you may (or may not remember) I recently started a new job this monday (thanks again for all of the tips and advice BTW).

Anyways, I have been tasked by my manager to help come up with a solution to block unauthorized RJ45 access to our network in a new building which should be completed by this summer. This buildi ng will house staff and assisted living people (I work in healthcare). We dont want anyone (especially the bene's to access our network)

He has asked me to come up with a solution to prevent this from happening. The only 2 things i can come up are an IDS and a switch which can "sense" this type of access except by then i would think it would too late.

I know where i used to work they had "port locking enabled" where if we did station moves or someone plugged in a laptop it would "lock" the port down until IT came down and "unlocked" it. How is this done and what device would do it? That sounds EXACTLY what I am looking for but google turns up squat

Thanks all in advance

What type of switches is you company using?? If cisco i know for a fact you are able to set up port security...

Switch# config t
Switch(config)# int fa0/1
Switch(config-if)# switchport port-security ?
  aging           Port-security aging commands
  mac-address     Secure mac address
  maximum         Max secure addresses
  violation       Security violation mode

and i've never done this but if you have a syslog server you would be able to log all events...hope this helps i'm not sure on other vendors but i'd venture to guess this can be set up as well.

Kasor

Just disconnect the cable from the switch and lock up the room. There is no way your user can get any connection without breaking down the door.

dtlokee

Another solution that is more secure than port-security would be 802.1x authentication. It requires more configuration but it will ensure no one can connect a computer that you have not allowed. It all depends on what you're looking to do.

dynamik

What's your budget? You could always go with these and this if you're tight on cash.

phreak

dynamik wrote:

What's your budget? You could always go with these and this if you're tight on cash.

LOL

shednik

dynamik wrote:

What's your budget? You could always go with these and this if you're tight on cash.

so dynamik is the forum comedian now

brad-

They're MAC filtering as well. I dont know how big your organization is but if its less than about 100 PC's it may be worth your time.

Darthn3ss

dynamik wrote:

What's your budget? You could always go with these and this if you're tight on cash.

lmao

snadam

shednik wrote:

dynamik wrote:

What's your budget? You could always go with these and this if you're tight on cash.

so dynamik is the forum comedian now

what, you didnt get the memo?

and that was hilarious BTW!!!

Pash

dtlokee wrote:

Another solution that is more secure than port-security would be 802.1x authentication. It requires more configuration but it will ensure no one can connect a computer that you have not allowed. It all depends on what you're looking to do.

Yup NAC is your best bet. Infact I know a product that doesnt require huge changes to your infrastructure. Ive sent you a PM.

Breadfan

LOL LOL

I saw that and almost spewed coffee on my new laptop.

and thanks all for the help guys

Ahriakin

MAC Filtering and deliberately disabling ports via the switch management software is the cheapest, NAC is the most versatile and elegant but does require extra time and investment.

Darthn3ss

Breadfan wrote:

LOL LOL

I saw that and almost spewed coffee on my new laptop.

and thanks all for the help guys

definitely suggest that one to your manager.

phantasm

dynamik wrote:

What's your budget? You could always go with these and this if you're tight on cash.

rofl. That was the best laugh i've had in awhile!

cacharo

phantasm wrote:

dynamik wrote:

What's your budget? You could always go with these and this if you're tight on cash.

rofl. That was the best laugh i've had in awhile!

What I find funny is that Dynamik is going to be suggested different types of glue each time he visits amazon.com now

Pash

Ahriakin wrote:

MAC Filtering and deliberately disabling ports via the switch management software is the cheapest, NAC is the most versatile and elegant but does require extra time and investment.

Yeh thats all well and good, but you add up the cost of dropping what your doing to mess about on the swtiches every time you need to free up a port....and NAC won't seem that expensive

LOL at the glue thing.

Aquabat [banned]

dynamik wrote:

What's your budget? You could always go with these and this if you're tight on cash.

i dont get it

seuss_ssues

We just disconnect the cable between the patch panel and the switch if a line isnt in use or shouldnt be in use.