Is Switch Port Security adequate


(Ron Fast) #1

I have HP Procurve and Aruba switches. Recently we had a company do a complete network security analysis. i have each port locked down blocking IPs that don’t match the IPs in the list for each port. I was told by that even though they are locked down that it’s not difficult for someone to plug in a small device (I think they said an Arduino device) and bypass the port security. Not sure what additional security would look like.


(Chris Green) #2

There are many ways to properly accomplish port level security. The “right way” to do it based on the level of audit you just had done would likely be authentication based using a tool like ClearPass. This goes much deeper into the process allowing device/user level authentication to put devices in the correct VLAN. If you’re also using Aruba wireless you can do port tunneling through the controller as well which brings another layer of protection with traffic analysis, profiling, firewalling, etc.

That said, I would be curious what pushed you to require this level of security conversation in the first place?


(Alex Conner) #3

Locking down by IP or MAC are not only error-prone and complex, but really aren’t all that secure since either can be easily sniffed and spoofed. If you truly need this sort of security (you probably don’t) then you should look into 802.1x or a vendor-specific product to authenticate devices & users and assign them policies.


(Ron Fast) #4

I wasn’t trained as a Network Admin. i’m a software engineer (old school type) so i really don’t know what security i need on the switches, if any. I have a lot to learn so I’m one who asks a lot of questions. it’s one of those “I don’t know what i don’t know”. While I trust the company that did the audit i need to know if the security improvements they recommended are really needed. Not sure if that makes sense.


(Alex Conner) #5

A security assessment should’ve included a risk assessment. Without knowing what you’re protecting, it’s hard to structure an appropriate response.

For example, Google decided to structure their network around the idea of no-trusted-networks (BeyondCorp) so network access control only needs to protect against bandwidth wasters and such not absolute security. On the flip-side, some companies are still using telnet-based mainframe systems and transmitting credit cards and other sensitive information in cleartext over their networks. This requires a very significant amount of network access control.

There are very few industries where a detailed port security program is the best usage of resources on protecting the network, especially as smaller organizations move more and more to the Cloud and the office network is just a dumb pipe to the Internet.


(Ron Fast) #6

Thank you for the advice. I was mostly concerned about the ports. a couple of reasons for network security

  1. i have several network ports in public areas, like our foyer.
  2. I’ve also had new staff plug in routers in their offices. I’ve even had one staff person who brought in his own WiFi router that brought the network down because it caused a broadcast storm. I figured if I locked down the ports i could prevent further network outages.

(Alex Conner) #7

IP or MAC filtering won’t save you from loops, only Spanning Tree will. You also need DHCP snooping to protect from routers being installed. However, this sort of thing is usually the result of an end-user not receiving the support they need from IT so I’d encourage you to think about if from the perspective of the user as well. We all know it’s impossible to serve everyone’s wants and desires, but if there’s good communication between IT and staff and they see you as an enabler and you communicate the importance of maintaining network security and stability you’ll have far fewer rogue actors. Responding by locking things down just encourages more people to use personal devices and bypass information security protocols.

Ports in public spaces either shouldn’t be patched or should be physically protected. If you want an extra layer of some basic protection, filtering those by MAC can help a little but device certificate based 802.1x would be much better.


(Ron Fast) #8

yes i realize that communication or lack thereof would have helped at least in part, i’ve learned how to communicate better with the staff concerning the network. I’m working on my communication skills.

Thank you for all your advice. You’ve helped a great deal and I appreciate it. I’ve looked into Spanning trees and will pursue that angle. I believe i will be able to eliminate all or most of the public facing network taps after thinking about it.


(Ron Fast) #9

Thank you Chris for your help. i’ve learned a great deal from you and Alex. I really appreciate it.


(Chris Green) #10

It is definitely getting easier to eliminate the extra plugs as wireless becomes the norm. That does, however, put pressure on us to provide secure, reliable, fast wireless. :wink:


(Ron Fast) #11

yup. i was fortunate to be able to afford a Ruckus WiFi System. it silenced many critics. I’ve enabled client isolation for our public WiFi. I haven’t put it on it’s own VLAN though.


(Greg Brenneman) #12

Public WiFi should be on a separate VLAN, and also should route through your filter. Consider turning WiFi off during the night as additional protection against users in the parking lot causing trouble for the church by what they download. Ruckus does have scheduling options.

Regarding the rogue access points, besides adequate support for users needs, there must be clear policies against such actions. Users also need to understand that it takes time to build out a good wireless network that is both adequate and secure. I find that many church staff, especially younger ones who have not worked for a larger organizations, think like a collection of consumers rather than a business unit, therefore install things like they would at home.

  • Greg

(Ron Fast) #13

Thank you Greg. I have turned off Public Wifi during off hours and will look into putting it on a separate VLAN