nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Application or Software to detect or Block unmanaged swicthes

From: Jimmy Hess <mysidia () gmail com>
Date: Thu, 7 Jun 2018 05:27:00 -0500
On Thu, Jun 7, 2018 at 3:57 AM, segs <michaelolusegunrufai () gmail com> wrote:
[snip]

Please I have a very interesting scenario that I am on the lookout for a
solution for, We have instances where the network team of my company bypass
controls and processes when adding new switches to the network.


The  NETWORK management team of your own company?

The answer is adequate change controls, policy, procedures,
technical auditing (Such as logging of all CLI commands),  and
mandatory training with clearly-communicated in advance severe
consequences for violators of the compulsory security policy that
all switches must be of X type and configured according to Y process
before being connected to the network, signed off  by management.

There are technical controls that can be implemented to help prevent/
mitigate end users  from attaching an unauthorized switch to a normal
access port,

But as you mention...  clearly an employee on the NETWORKING team
can likely just configure a port as  Trunk and  circumvent any technical
protections.

Two methods that could effectively prevent End Users (not Network/IT team) from
connecting unmanaged switches would be:

*  Port-security feature common on many managed switches  that allow you to
   limit the number of MAC Addresses that can use a port to 1 or given
number of MAC addresses.
   (Use a short MAC address aging time  such as 30 seconds to allow
people to unplug
    and plug a different device in, but a low MAC address account and
Err-Disable violation
    to  kill the port if a Switch is connected)

 * 802.1x Wired Port Security -   More detailed system that requires a
   PKI + RADIUS server infrastructure and authentication by every
client to every port.


--
-JH
Previous By Date Next
Previous By Thread Next

Current thread: