Application or Software to detect or Block unmanaged swicthes
Jimmy Hess
mysidia at gmail.com
Thu Jun 7 10:27:00 UTC 2018
On Thu, Jun 7, 2018 at 3:57 AM, segs <michaelolusegunrufai at gmail.com> wrote:
[snip]
> Please I have a very interesting scenario that I am on the lookout for a
> solution for, We have instances where the network team of my company bypass
> controls and processes when adding new switches to the network.
The NETWORK management team of your own company?
The answer is adequate change controls, policy, procedures,
technical auditing (Such as logging of all CLI commands), and
mandatory training with clearly-communicated in advance severe
consequences for violators of the compulsory security policy that
all switches must be of X type and configured according to Y process
before being connected to the network, signed off by management.
There are technical controls that can be implemented to help prevent/
mitigate end users from attaching an unauthorized switch to a normal
access port,
But as you mention... clearly an employee on the NETWORKING team
can likely just configure a port as Trunk and circumvent any technical
protections.
Two methods that could effectively prevent End Users (not Network/IT team) from
connecting unmanaged switches would be:
* Port-security feature common on many managed switches that allow you to
limit the number of MAC Addresses that can use a port to 1 or given
number of MAC addresses.
(Use a short MAC address aging time such as 30 seconds to allow
people to unplug
and plug a different device in, but a low MAC address account and
Err-Disable violation
to kill the port if a Switch is connected)
* 802.1x Wired Port Security - More detailed system that requires a
PKI + RADIUS server infrastructure and authentication by every
client to every port.
--
-JH
More information about the NANOG
mailing list