Slashdot Mirror
How Do You Handle Ethernet Port Management?
MTL-Stalker asks: "I am currently investigating the best way to handle Ethernet port management for an organization with over 75,000 Ethernet ports spread out over 700+ sites. I was wondering how members of the Slashdot community are handling this issue in their organizations? Obviously this is as much a business process issue as a technological solution. In today's threat-filled networks, it seems like asking for trouble to rely on a simple switch based 'port enabled/port disabled' methodology. Do you think Cisco-style port security (tying a MAC address to a particular port) or PACLs (port access control lists) are worth the effort? Are products like Cisco Campus Manager or HP OpenView worth the cost and deployment headaches? Do they address your security concerns? How many of you are using homegrown scripting and/or SNMP solutions? How many ports can you effectively manage with these solutions? I would also be interested in knowing what industries these solutions are being implemented in."
He just blocks everything except HTTP/HTTPS and FTP, so I'm stuck using Tor for anything else. >:(
This way you could tie particular users to their VLANs, not the machines to the ports, which can be quite annoying when a user wants to change his/her desk.
802.1x should be combined with some decent endpoint security solution
(see recent Gartner reports on this)
HTH
Marcin
-- echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768
I've always had good luck with not necessarily tying a MAC to a port, but rather a list of approved MACs. MAC not approved gets automatically shunted to an isolated VLAN. If they bring up a browser all they see is a "welcome guest, call IT" screen. Both Cisco and HP switches can do this.
Learning HOW to think is more important than learning WHAT to think.
The internet: Homework Help for both teenagers and network administrations :)
Given how easy it is to change your mac address, (I can do this at will on my ethernet AND wireless) I would hope no serious security system relied entirely on that one factor. We have to assume the serious criminals have all the easy angles covered.
I work for the Department of Redundancy Department.
i would suggest using a RADIUS login to manage user access
since RADIUS was originally designed for ISP's managing users it is good dealing with hostile clients and other riffraff as long as you are on a switched network
Snowden and Manning are heroes.
One port at a time! The best part is that you don't need to be an MCSE tech to figure that one out.
"I read it as Ethernet Porn Management"
"In which case, I'd use a COMdom"
Feel the karma burn. Ahh but how, -1 Redundant, Offtopic or simply Overrated? Hit me with it.
TLF
I do not respond to cowards. Especially anonymous ones.
I am currently investigating the best way to handle Ethernet port management for an organization with over 75,000 Ethernet ports spread out over 700+ sites.
Uh, go wireless? There are a number of wireless options.
(The company I work for has a neat solution, but I am not allowed to talk about it(!!))
Zhrodague.net - I do projects and stuff too.
I'd recommend a pro solution, as they are not going to go away.
Any employee you might hire to custom make a solution could
die in a traffic accident, or get a new job, or die for some other reason.
You'd be stuck with a one man band application, that other ppl
would have to "fully" comprehend his coding nuances.
The security, stability, and maturity of a professional long term product
is going to help a lot if you are planning for further growth as well.
I'd find out the one that has the highest rating out there among
the pro solutions and go with it.
A smart man once said "Do what your good at, and find those that are
good at what they do and pay them if you need their services, and
do not try to be a jack of all trades."
The only other way I could see it is viable is to get in on a open source
app and contribute to it, but it sound like you need something the works "right now"(tm).
Ex-MislTech
google "32 trillion offshore needs IRS attention"
I'm not exactly in charge of any large area networks, so I'm probably just ignorant, but why would you want to limit physical Ethernet access to begin with? All your actual services are properly authenticated, aren't they? Is it for DoS prevention or proactive security or something completely else?
When considering how to secure the ports, I think you have to find the balance between security and functionality. If you lock down each MAC to a specific port, how much time will you spend managing it? Whenever there is a connectivity problem, will you have to fight with the other groups assuring them that it isn't the network?
As a final thought, you generally get out of a network management system what you put into it. With a network as large as yours, there isn't a silver bullet to fix all of your problems. Whether you customize, roll your own or use vanilla off the shelf software, you need to figure out what makes the most sense for your business. Good luck. It sounds like you need it.
Still, with a plan, you only get the best you can imagine. I'd always hoped for something better than that. -CP
Netdisco is an open source switch management solution. Shows you MAC, IP and NetBIOS information per port, draws graphs and allows you to change VLANs and enable/disable ports with logging.
http://www.netdisco.org/
With big jobs you have no choice but to use some highly specialized tools. It sounds like the Testum Network Management Tool would be useful.
It'll help you figure things out a lot easier. It also does a lot of other nifty things that could become useful when you need to expand the network.
... and in the DRM, bind them.
Well, that's the truth for our orignization. You don't want ot know how we do it. What you should look at for that scale, is probably dynamic VLANs. Cisco has good solutions, I'm sure you can find vendor neutral ones as well, but I'm the kind of guy who will push a Cisco solution in general. At any rate the basic idea is that when soemthing gets connected it's MAC is checked and then a VLAN is assigned to the port based on it. So no matter where a computer is connected, it's in the same area network and security wise. This also means that unauthorized computers can be put in a nothing VLAN with no access.
It's not a magic bullet security wise, but it really makes management easy. You want all your engineers in a given VLAN, just assign their MACs to it. Then if one goes to a new office and nobody tells you, doesn't matter the hardware takes care of it for you.
I would suggest, with that kind of load, something that has great Visualization software. I work at allot of different data centers and I can tell the ones that are organized are the ones where you can just glance at a screen to tell what's up and what's down. To find a computer by just typing its host name and it telling you exactly where the port is and where the current routes are. Even with the setup headaches, its all a one time deal with just a little maintance every time you change out a switch. Even then, with good config backups that downtime is eliminated.
This is going to read like a troll..especially given all the IT support people out there...but oh well. Turn on all the freaking ports and get back to the support desk so someone is there when I call. I am so tired of the IT group doing huge make work projects in the name of security/scalabilty/Enterprise/CRM/blah blah blah. What a bunch of crap. You know us users out here... We really do have work to get done. I am sorry we are using the computers, storing files on the disks and want the Ethernet ports to actually work but we do. I really don't need to be down for 3 days when I need to move a computer to another desk to be closer to some new custom hardware I need to bring up. Who exactly do you think you are stopping from "getting at your network" with these toy approaches such as turning off the ports if no computer access it for a day or locking down by MAC address. These approaches are very good at stopping the actual users of the network from getting work done. They are a pathetic attempt at security for anyone that actually wants to do damage to the network.
--- Liberty in our Lifetime
Luckily I haven't run into any clients that have gone to port level security, but I'm curious how well I'd be supported by those that have already setup such a system. For those that have already done this, how well do you support consultants and vendors that show up with their own laptops preloaded with all their own tools who need access to important servers? Do we have to wait for a network login (likely a domain account) and install some kind of app? What about the ones who's PCs are configured for another companies network and cannot be changed (e.g. we don't have Admin on our own laptop) or if we show up running Linux? Myself, I have root, but it's on linux. So, being independent, I'm wondering if I should include a clause in my contract to cover environments that lock me out.
AHAHAHA HAHA HAH
... is what I would be saying if I were 12-15 years old.
http://outcampaign.org/
I don't get it. Your dad does this to your house?
+++ATH0
Layer 2 Security may make sense on certain segments, such as Internet edge or server switch blocks, but when it comes to user segments, don't even bother. Leave them all open and implement your security on a level that is more manageable than layer 2!
http://www.bradfordnetworks.com/
Posting anon as I don't care to link myself to them. I don't work for them...just use their product. Little quirky at times, but for the most part, it's a pretty solid product! I'd hate to go back to manual port management...it's bad enough doing it for 100 ports nowadays (we let CM manage ResNet ports and other non-critical ports).
Well, first thing you want to have are good site network layouts in a CAD program, preferably done in scale. Do not worry about every single wire (it is nice though at least for the pulls from the floor to the closet's patch panels) but get the major items, devices, and closet feeds.
As for what connects where, well, that needs to be part of your asset management system to be really effective. Some type of database which contains records for each class of object (like computers, servers, switches, routers, etc., which also has fields for location and network port connectivity. Obviously you would want a relational style database, with one to many relationships for network connectivity since you may have multiple network interfaces on different devices. Now the hard part, actually making this part of your processes. You need to have this updated, and really the best way is to make sure that people have to go through the process in order to get on the network. What this means is that you absolutely must use something like "port security". If regular people can move a system from one location to another and just disconnect one device and connect this one and it works, you will never be able to keep any tracking/management system up-to-date. It will be up-to-date for a whole 5 minutes after you do an inventory of that cube/office/location before someone somewhere decides that they are taking over the room down the hall because it is closer to the window, or is next to the exit...
I can't state that enough, you need to FORCE EVERYONE TO USE THE SYSTEM. If one person doesn't use it, then everything he/she does will be under the radar and not detected which makes having such a system pointless because it doesn't contain valid data, and you might as well have done "/dev/random > my_network_layout".
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
The ultimate solution is 802.1x. Unfortunately, that essentially ties one mac per port (the first MAC to associate authenticates the port) for Cisco. Nortel can do multiple MACs per port while authenticating each one. You can also go with a VLAN switching solution like Cisco's Secure Access, Bradford's Campus Manager, etc. Those run $100k+ per 10,000 ports. There are FOSS alternatives as well like NetPass
They are all on VLAN 1 aren't they?
When I was training for my CCNA, they were telling us that most people use static port-based VLAN membership these days for corporate networks because it reduces overhead. I, on the other hand, was a big proponent of dynamic VLANs because of the extra security added. All that would be needed is to hire a couple people that, when a new NIC or laptop comes into the company and passes through your department, they add the MAC address to the database and assign it a VLAN.
That way, your users are free to roam the corporate network while maintaining their workgroup association but even more importantly, MAC addresses that arent in the database (unauthorized NICs like someone bringing their access point from home or their lappy) immediately trigger the port to go into disable mode.
-BorisBorf (The Monty)
I work for a large organization (thousands of users of hundreds of sites) and manage about 2000 users worth myself. Without going into too much detail I dont think we found the magic bullet. CiscoWorks and Optivity (ESPECIALLY OPTIVITY) are frankly POS systems, at least in our situation. MAC Address is an option, but it's far from 100%, and requires pinpoint inventory of every device on / will be on / surplused (good look with the last one) equipment. Wireless is NOT an option, from both speed and security (although I like wireless, I can't say airwaves are as safe as a cable which would require a vampire tap to get into, not as easy as sitting in another office) in our organization. Besides I have zero say in the matter.
the one idea i DO like, is any "external" access points, such as those where external clients may wander, those are locked to specific mac ports. However I think the best would be an inventory system tied into user accounts, that can track both machines and users as they go about. Having an organization that supports best practices for inventory is absolute must. If you can't say for sure what hardware exists, it's impossible to deny access to illegitimate users. Of course an organization the size your talking that's easier said then done. Eliminate as much room for user error as possible for inventory is another suggestion, such as grabbing machine info automatically.
The problem I think is as much the tools, as is the people and the fact we're inheritently lazy. Sorry for not an answer, but that's my take on it. Good luck.
Not even 12-15-year-olds find that funny. Only the OP finds that funny.
Please, for the good of Humanity, vote Obama.
Tried that last month, actually. No-killy the computer.
Actually, 802.1X (on wired ethernet) can be attacked - read this. Yes, it is on Microsoft.com, but nothing in the article is specific to Microsoft technologies.
Now, this is definitely a deliberate attack (not an innocuous vendor just plugging in their laptop to check their email) but it is possible.
(You insert a hub between a legit computer and a legit switch port. You connect your attacking computer to the same hub, configure your attacking computer to have the same MAC, wait for the legit computer to authenticate which opens the switch port and off you go, subject to some caveats as mentioned in the article.)
They recommend IPSec as it authenticates each packet. 802.1X on wireless is not subject to the same issues because there is a session that is maintained between the AP and the client.
1) Visually inspect one known-good piece of equipment. At my organization, for reasons which are beyond me, they're printed on every laptop (along with my username and static IP address). They're also frequently printed on the physical network card. So if a computer is in a physically non-secure location (guest-accessible computer, laptop stolen, laptop taken in for repairs by Geek Squad instead of IT, laptop taken home, etc etc) thats a vulnerability.
2) Socially engineer a wireless mac address. Go to any location frequented by the workers at your target institution -- say, the cafe across the street during lunch hour. Open a wireless hotspot with a name like "Roadkill Cafe Wirless Network" and don't require any sort of authenticiation. Take mac addresses off the logs, then return to the target institution and try until you find one that works. (Hopefully they don't have their wireless addresses and their wired addresses be the same... but I've seen it done before, by lazy IT types).
3) Call and ask somebody. "*ring ring* Hiya, Suzy, this is Bob in IT. We're having some problem with the router covering your workgroup. Have you noticed any problems? No? Thats great. We put through some fixes on our end and I need to be sure that they took. Could you please hit your windows key and R at the same time? Type in command, hit enter. See a big black box? Type in "getmac". Yeah, I know, its funny to say Get Mac on a windows machine, those quirky programmers, what can I say. OK, could you read me the group of numbers and letters with the dashes in them that you see on the first line? OK, thats what I'm showing on this end too. Thanks Suzy, you're all set. If you have any problems you know who to call."
4) Sniff it out of the air (again with the wireless vulnerabilities).
5) If you can compromise any machine on the network "arp -a " gets you the MAC address of anybody you can see. I'm fairly certain you can accomplish this via ActiveX control (a quick Google found one), and also fairly certain you can not do it by Java applet.
Obviously, these are intended to tell you what you need to look out for securing your network, not for breaking into someone else's. Now if you'll excuse me I have to explain to a boss on why the whole "mac address printed on the laptop" is unwise.
Help poke pirates in the eyepatch, arr.
You might want to check out ONA - Open Network Administrator from Bruce Campbell at U of Waterloo. And his paper from the LISA 2005 conference.
http://ona.uwaterloo.ca/
You are prolly correct. I am referring to conducting a secret government, maintaining a 'hidden in plain sight' coup, and directing the operations for the US half of 'a new Pearl Harbor'.
Plame is serious in that regard, but also a footnote on the real crime.
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
Now i must confess that i dont manage huge networks, and im going out on a limb. At the two universities i've been to, both manage their ports and wireless together with either having a certificate on the computer (not sure which method that is) and also by doing temporary access with a user/pass combo tied to all the other services. Im not sure which technologies they're using but its entirely seamless and extremely easy since if you're supposed to be there you already have the id, and if you're always there it only takes a few minutes to get the certificate. This really dosent create a headache like another user was complaining about.
Use epoxy. Just mix the two compound and fill in un-used ports.
Great securitywise but kinda limits future expanding.
There are no atheists when recovering from tape backup.
I just recently stopped working for a government agency and I was responsible for managing port security on about 6000 ports. Our current end-game solution is to use 802.1x, however due to certain regulations, our agency couldn't operate a CA, so we couldn't feasibly request a new certificate for each host everytime one completes an accreditation process. But we were implementing everything else until we could get there.
:)
Our short term solution is to standup a RADIUS server and use it for port-security. This isn't quite as good as 802.1x, but provides the same level of scalability without going as much in-depth. You bascially have your switches (assuming they have this ability) check the radius server for allowed MACs. This works the same as the MAC ACLs, but is centrally managed. We haven't gotten that far yet either, as we didn't have a RADIUS server. (more stupid regulations that make that a headache)
So, the current process is to manually change the MAC address on each port on each switch. We initially turn on port-security on the switches, and for the newer ones (Cisco 3550/3560/3750) once we determine that all the users are on that need to be on, we drop all other ports into a dead-end VLAN that has no access. The remaining ports we drop into our data vlan (we also have dedicated vlans for voice, wireless, video, and infrastructure management). Once we've established that, we secure the MACs to the ports. All port security violations are logged to a syslog server and the switches are set to restrict access. This prevents useless work of re-opening ports when some user decides to plug-in their home machine to download the latest Linux ISOs or torrents. For further changes (i.e. when a new machine gets put on the network), a call is made to the helpdesk which routes the ticket to the networking team (that's me) and I unlock the port. We then have to notify the security team, which scans the machine for vulnerabilities and applies patches as needed. After that, it is managed by WSUS and SMS.
Now this sounds very tedious, but it isn't that difficult to manage. For the last 2 months, I managed all port security by myself, as well as down network links, some remote office firewalls, and new switch installs. Port security helpdesk tickets were typically closed within 2 hours of the request (assuming the helpdesk tells me about them). As a bonus, and because I'm lazy, I wrote some scripts for WSH that will connect to a switch, get a listing of all port-security information, compare it to DHCP leases on Windows servers, and output a table that shows which host is on which port. I also expanded this for use on WAN links where it will recursively access all switches at a site, stopping when it reaches a router and display the same information on a per-switch basis. A pretty handy report. Useful for telling you which hosts aren't using DHCP (so you can ensure they belong there). The only real requirements for this to work are that the switches use CDP on infrastructure links and they support ssh. You also have to have a CLI ssh client that supports putting the password on the command line (or certificate based auth if you can set that up, I don't think Cisco devices support it, although I think kerberos works
Thinking a bit more abstractly:
We're talking about limitation and control of L1/L2 network access, right?
When Wi-Fi came along, the same issue had to be solved. Part of 802.11i Wi-Fi security is use of IEEE 802.1X - a standard which was designed just for this purpose, even before wireless networks were around yet. So it's perfectly suited for wired networks as well. Use network equipment with Authenticator capabilities, install a Supplicant on your authorized clients, good to go.
half of them probably not connected to any switch at a given time. Why do you need to complicate matters by "managing" ALL ports of ALL sites at once? What's there to manage anyway, you don't even have physical access to most of them!
Go back to basics, think about one subnet at a time. If you can't trust that no rogue machine will be connected to that net, don't run insecure protocols over it.
(Link goes to NetDisco.org).
If your network infrastructure supports SNMP pretty much all the way, this tool is pretty rad.
Keeper of the Wang
In this situation since we're talking about the security of physical internet ports, that an intruder can access them in person is sort of assumed.
If you have really good physical security (an intruder can't get to the Ethernet ports) then it sort of obviates this entire discussion -- why bother doing all the obnoxious port security if you can guarantee not letting anyone un-approved get access to an Ethernet port? You wouldn't. Except that you almost certainly can't guarantee that, hence why people are interested in such things.
So if you're even thinking about securing a wired network, it makes sense to assume that the theoretical attacker would have physical access at least to the endpoints of the infrastructure (the ports themselves, other client PCs) and could read the MAC address off of another client.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Look into Cisco Clean Access and NAC appliance. I just got trained on that a couple weeks ago.
this sig has been rated E for Everyone.
Disclaimer - I am a consultant that does software testing for the System Manager software and iPatch hardware.
You're question really has two parts, a) what policies are preferred for managing large networks and b) what is a good way to enforce that policy? I feel like the above comments cover some pretty good pros and cons of various policies, so I'll skip that in favor of the second question.
Having managed a few large networks in the past, I can honestly say I wish I had known about the iPatch System Manager software. The single greatest problem I had was keeping my knowledge of the state of the network up to date. With current knowledge of the network, implementing (or switching) policy is much easier. Anyway, the basic idea of the software is to help you gather and maintain as much information as possible about your network. Specifically, System Manager
--Allows manual inputting of network architecture from buildings down to desktop hubs
--SNMP features allow for in software management of switches (enable/disable ports, customizable snmp trap alerts, more)
--Integrates with HP Openview (I'm not a fan, but some people love it)
--Automatic service provision (if cabling is in place)
If you buy the iPatch hardware to go with the software, it can also
--Automatically discover and maintain rack architecture and panel patching state (including notification of unauthorized patches)
--Provide at-rack patching and job completion (which is then relayed back to the software)
IMHO, this software makes managing large networks much easier, regardless of the policies you use.
First, on the size network you are working on it would be easier for you to have all of the ports plugged in and to use a method such as gateway device to control access if they all come through a central point (www.bradfordnetworks.com) as well as having decent access control to the buildings. For the physical access control, that is really only feasable in an area such as the server room or a similar smaller area that doesnt change as often. Many companies have the internet connections for their remote divisions as a WAN link through a corporate headquarters so they can manage it.
Secondly, you need to organize the network using VLANs and subnets in a way so that it is easy to control (hopefully this is already done). For example, division "abc" has subnet 172.17.100.XXX and division "def" has subnet 172.17.102.XXX
Thirdly (and this is the big one), you need excellent management of IT at your company. If the users know they can be fired for installing a program or going to the wrong websites it will keep them on track and using their computer to do their job and not their promote personal life.
Also, devices such as a proxy server that you can control where they go on the internet will help minimize risk by only allowing users to use their computer for their job. This as well as other devices that could detect a virus and "dead end" a user to a VLAN where they cant hurt anything (see www.bradfordnetworks.com again, although costly it really is a decent solution) are the type of investments that can save you down the road.
Best of luck to you.
it's easy. you don't manage ethernet ports. cisco catalyst 6500 switches or foundry bigiron are popular for large environments. switches run this thing called "spanning-tree" aka IEEE 802.1d (and improvements such as .1s and .1w). layer-3 switches can run other things such as IETF/Cisco HSRP, IETF VRRP, or Cisco GLBP, as well as connect to other layer-3 devices with something called IPv4 and routing protocols such as OSPF, ISIS, RIPv2, EIGRP, or BGP-4. once you've mastered those (or hired a network engineer), you can move on to actually building a large network.
i guess if you wanted to "manage" ethernet ports in the way that you describe, i would consider using IEEE 802.1x. you don't need any network management software or SNMP to do this.
I have noticed that setting the switch's MAC address on the port works well. Basically being like only allow traffic from/to MAC addy XYZ.
Why do you need port based security anyway? Just secure your switch, keep it locked up...