Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Do You Handle Ethernet Port Management?

Posted by ryuzaki0 on from the that-thing-that-looks-like-a-phone-jack dept.

MTL-Stalker asks: "I am currently investigating the best way to handle Ethernet port management for an organization with over 75,000 Ethernet ports spread out over 700+ sites. I was wondering how members of the Slashdot community are handling this issue in their organizations? Obviously this is as much a business process issue as a technological solution. In today's threat-filled networks, it seems like asking for trouble to rely on a simple switch based 'port enabled/port disabled' methodology. Do you think Cisco-style port security (tying a MAC address to a particular port) or PACLs (port access control lists) are worth the effort? Are products like Cisco Campus Manager or HP OpenView worth the cost and deployment headaches? Do they address your security concerns? How many of you are using homegrown scripting and/or SNMP solutions? How many ports can you effectively manage with these solutions? I would also be interested in knowing what industries these solutions are being implemented in."

9 of 133 comments (clear)

  1. Re:My dad's solution by Harry+Balls · · Score: 4, Insightful

    The OP is talking about physical Ethernet ports, not about TCP or UDP ports.

    --
    Dedicated Linux servers (root access) $45 p.M.
  2. mac security by v1 · · Score: 3, Insightful

    Given how easy it is to change your mac address, (I can do this at will on my ethernet AND wireless) I would hope no serious security system relied entirely on that one factor. We have to assume the serious criminals have all the easy angles covered.

    --
    I work for the Department of Redundancy Department.
    1. Re:mac security by jonadab · · Score: 2, Insightful

      Given how easy it is to change your mac address

      The question isn't how easy it is to change your MAC address, but rather how easy is it to find out what to change the MAC address to. (I'm not sure it's that much harder, though, assuming a device that's normally plugged in is present so you can snoop on it.)

      > I would hope no serious security system relied entirely on that one factor

      No serious security system relies on *ANY* one factor.

      Tying a MAC address to an ethernet port doesn't solve all security-related problems, but it does help somewhat with the specific problem of employees just being generally far too careless about what systems they plug into the LAN, which *can* be a siginficant thing, in some situations.

      Obviously you will still want other forms of security.

      --
      Cut that out, or I will ship you to Norilsk in a box.
    2. Re:mac security by Alioth · · Score: 3, Insightful

      A large proportion of break-ins (particularly malware type break-ins) are not due to malice: quite often they are because a contractor/employee brought in their personal malware infested laptop and saw fit to connect it to the corporate network. Nearly all the problems I've seen on company networks are not due to malice but due to people doing silly things like this.

      A huge number of corporate network problems can be solved just by keeping the honest people honest with things like MAC address approval.

      --
      Oolite: Elite-like game. For Mac, Linux and Windows
  3. Re:Why? by Anonymous Coward · · Score: 1, Insightful

    I agree. I have to manage almost 10000 ports by myself. If I tried to turn on MAC filtering or even maintain a list of approved MAC addresses, then I would spend all of my time managing that list. What I would gain would be very little.

  4. Turn them All on by Ada_Rules · · Score: 1, Insightful

    This is going to read like a troll..especially given all the IT support people out there...but oh well. Turn on all the freaking ports and get back to the support desk so someone is there when I call. I am so tired of the IT group doing huge make work projects in the name of security/scalabilty/Enterprise/CRM/blah blah blah. What a bunch of crap. You know us users out here... We really do have work to get done. I am sorry we are using the computers, storing files on the disks and want the Ethernet ports to actually work but we do. I really don't need to be down for 3 days when I need to move a computer to another desk to be closer to some new custom hardware I need to bring up. Who exactly do you think you are stopping from "getting at your network" with these toy approaches such as turning off the ports if no computer access it for a day or locking down by MAC address. These approaches are very good at stopping the actual users of the network from getting work done. They are a pathetic attempt at security for anyone that actually wants to do damage to the network.

    --
    --- Liberty in our Lifetime
    1. Re:Turn them All on by swordgeek · · Score: 4, Insightful

      My choices here were to mod you down, or to reply. I'm chosing the high road, I think.

      Your suggestion has merit--turn on the damned ports, let people plug in, and get work done. Lower admin overhead, faster response for the end user, and everyone can get on with their work.

      However, you seem to have an attitude problem, and I suspect it takes three days to get you on the network because nobody really gives a shit if they get around to doing your bidding. Doing work for people who believe they know your job better than you do is about as much fun as slicing open veins, and rather less satisfying. MAC address-based port connections may not be the perfect security solution, but they are one powerful layer in a multi-tiered environment, and they're absolutely not a toy. Consider: People bring personal laptops to work, plug in to the LAN, and a virus spreads because the primary virus scanners are at the perimeter firewall. The ENTIRE FUCKING COMPANY is now down for between six and 72 hours. Oh, but that's OK because you didn't have to submit your laptop for scanning, and could start working immediately. Clearly your work is more important than anyone else's in the whole company.

      Here's another scenario: A company has a mixed user environment of PCs and Unix workstations. We can declare that every port is enabled, but what ports are enabled on which network? What if the networks are split by division?

      Contrary to what your fantasy world might suggest, IT is NOT there to block your progress! They want to get things up and running as fast as possible, and with as little overhead for themselves as feasible. Opening all ports in a moderately large company is neither feasible nor intelligent.

      I think that you pretty much defined yourself as a legitimate troll (note: Not your post, but YOU) with this comment:

      "I am so tired of the IT group doing huge make work projects in the name of security/scalabilty/Enterprise/CRM/blah blah blah. What a bunch of crap. You know us users out here... We really do have work to get done."

      So you have real work to do, but they are a bunch of slackers inventing work because they have nothing better to do.

      You, sir (or madam), are an asshole. I predict for you a long and frustrating career of nobody doing what you want, just for the sake of pissing you off. Good riddance.

      --

      "People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
  5. Re:Why? by Intron · · Score: 2, Insightful

    The one thing you might do is watch the traffic for MAC addresses that contain the manufacturer id for Linksys, NetGear, etc. to find unauthorized WAPs.

    --
    Intron: the portion of DNA which expresses nothing useful.
  6. Re:Physical security by Anonymous Coward · · Score: 1, Insightful

    We've never had a problem with an inturder, but guests hooking up infected machines is a non-stop problem. I'm just pointing out that there are many different goals in security.