Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Do You Handle Ethernet Port Management?

Posted by ryuzaki0 on from the that-thing-that-looks-like-a-phone-jack dept.

MTL-Stalker asks: "I am currently investigating the best way to handle Ethernet port management for an organization with over 75,000 Ethernet ports spread out over 700+ sites. I was wondering how members of the Slashdot community are handling this issue in their organizations? Obviously this is as much a business process issue as a technological solution. In today's threat-filled networks, it seems like asking for trouble to rely on a simple switch based 'port enabled/port disabled' methodology. Do you think Cisco-style port security (tying a MAC address to a particular port) or PACLs (port access control lists) are worth the effort? Are products like Cisco Campus Manager or HP OpenView worth the cost and deployment headaches? Do they address your security concerns? How many of you are using homegrown scripting and/or SNMP solutions? How many ports can you effectively manage with these solutions? I would also be interested in knowing what industries these solutions are being implemented in."

10 of 133 comments (clear)

  1. What about 802.1x security ? by CineK · · Score: 3, Interesting

    This way you could tie particular users to their VLANs, not the machines to the ports, which can be quite annoying when a user wants to change his/her desk.

    802.1x should be combined with some decent endpoint security solution
    (see recent Gartner reports on this)

    HTH

    Marcin

    --
    -- echo '[q]sa[ln0=aln256%Pln256/snlbx]sb31350717901017685 42287578439snlbxq'|dc
    1. Re:What about 802.1x security ? by maxhead · · Score: 3, Interesting

      Actually, you do not necessarily have to replace the access layer switches to enjoy dot1x. Placing a dot1x-capable switch upstream that supports mulitple logins on a single port can be an intermediate step and bring most the benefits.

      In general, I advise customers to lock down every port in their network with 802.1x and to provision guest VLANs that are GRE-tunneled to a switch in the DMZ. This segregates all the guest traffic from corp traffic at L2 so the only way for a guest to access local corp servers is via the internet and back through the corp firewall rules.

  2. RADIUS by Lehk228 · · Score: 3, Interesting

    i would suggest using a RADIUS login to manage user access

    since RADIUS was originally designed for ISP's managing users it is good dealing with hostile clients and other riffraff as long as you are on a switched network

    --
    Snowden and Manning are heroes.
  3. Netdisco by arnie_apesacrappin · · Score: 4, Interesting
    As far as port management goes, you may want to look at Netdisco. If I recall correctly, UC Santa Cruz was using it to manage about 20K ports. It's open source, so you so should be able to customize it for your environment. I haven't run it personally, but the demo looks impressive.

    When considering how to secure the ports, I think you have to find the balance between security and functionality. If you lock down each MAC to a specific port, how much time will you spend managing it? Whenever there is a connectivity problem, will you have to fight with the other groups assuring them that it isn't the network?

    As a final thought, you generally get out of a network management system what you put into it. With a network as large as yours, there isn't a silver bullet to fix all of your problems. Whether you customize, roll your own or use vanilla off the shelf software, you need to figure out what makes the most sense for your business. Good luck. It sounds like you need it.

    --

    Still, with a plan, you only get the best you can imagine. I'd always hoped for something better than that. -CP

  4. Poorly by Sycraft-fu · · Score: 3, Interesting

    Well, that's the truth for our orignization. You don't want ot know how we do it. What you should look at for that scale, is probably dynamic VLANs. Cisco has good solutions, I'm sure you can find vendor neutral ones as well, but I'm the kind of guy who will push a Cisco solution in general. At any rate the basic idea is that when soemthing gets connected it's MAC is checked and then a VLAN is assigned to the port based on it. So no matter where a computer is connected, it's in the same area network and security wise. This also means that unauthorized computers can be put in a nothing VLAN with no access.

    It's not a magic bullet security wise, but it really makes management easy. You want all your engineers in a given VLAN, just assign their MACs to it. Then if one goes to a new office and nobody tells you, doesn't matter the hardware takes care of it for you.

  5. How do you support vendors? by bhmit1 · · Score: 2, Interesting

    Luckily I haven't run into any clients that have gone to port level security, but I'm curious how well I'd be supported by those that have already setup such a system. For those that have already done this, how well do you support consultants and vendors that show up with their own laptops preloaded with all their own tools who need access to important servers? Do we have to wait for a network login (likely a domain account) and install some kind of app? What about the ones who's PCs are configured for another companies network and cannot be changed (e.g. we don't have Admin on our own laptop) or if we show up running Linux? Myself, I have root, but it's on linux. So, being independent, I'm wondering if I should include a clause in my contract to cover environments that lock me out.

  6. Re:Guest-Intruder VLAN by Anonymous Coward · · Score: 2, Interesting

    I skip trying to keep track of MACs (too easy to forge), in fact I skip Ethernet level security almost entirely (too much to keep track of).

    I say "almost", since I do have each switch trunk a separate VLAN to each port (to keep them isolated), and I have the switches filter everything except PPPoE. The switches are managed through a physically separate control plane network, where extensive security is in place. Various systems monitor the control plane network in detail, all traffic on that network is recorded to worm, and the entire network area is shut down if any anomaly is detected(i.e. any attempt to contact port 80 on anything results in a building lock-down, since there is no reason web traffic would exist on the control plane). The control plane is not reachable from the regular network, any user-facing ports, or the Internet.

    On the forwarding plane, users must establish a PPPoE connection to reach the VPN concentrators, and then must establish a L2TP or PPTP tunnel to access the intranet or the Internet. All traffic from the VPN tunnels is forced through firewalls and IPS/IDS systems, before being allowed on it's merry way. Inbound connections to user systems are prohibited, unless the individual user's profile permits limited access. Since nothing can be done, except through the VPN tunnels every packet gets examined. Management of the PPPoE concentrators, VPN concentrators, routers, firewalls, and network control/monitoring servers is again isolated to the control plane network.

    Isn't that a lot of overhead? Yes it is.
    Does the network yield maximum performance? Not by a long shot.
    Is it inconvenient? Quite.
    Expensive? you bet.

    But, it is rather secure, and quite homogeneous, making security management's job much easier. No pesky individual Ethernet ports (or wireless APs for that matter) to deal with, just a database of user profiles, and standardised configuration templates.

    -e

  7. Re:mac security by theLOUDroom · · Score: 2, Interesting
    Given how easy it is to change your mac address, (I can do this at will on my ethernet AND wireless) I would hope no serious security system relied entirely on that one factor. We have to assume the serious criminals have all the easy angles covered.

    Let's go a little further than that:
    MAC addresses are not a secure authentication method. It's like asking someone's last name.

    Let's say I'm joe blackhat with a laptop:
    1. I unplug a PC
    2. I plug that ethernet cable into my laptop.
    3. It grabs the mac address of whatever was plugged in.
    4. I plug in my laptop with that new mac address.


    If you automate it, we're talking a matter of SECONDS here.

    Security of this type is s total joke. There are right ways to protect a network and this is not one of them.
    --
    Life is too short to proofread.
  8. 802.1X attack by swmccracken · · Score: 2, Interesting

    Actually, 802.1X (on wired ethernet) can be attacked - read this. Yes, it is on Microsoft.com, but nothing in the article is specific to Microsoft technologies.

    Now, this is definitely a deliberate attack (not an innocuous vendor just plugging in their laptop to check their email) but it is possible.

    (You insert a hub between a legit computer and a legit switch port. You connect your attacking computer to the same hub, configure your attacking computer to have the same MAC, wait for the legit computer to authenticate which opens the switch port and off you go, subject to some caveats as mentioned in the article.)

    They recommend IPSec as it authenticates each packet. 802.1X on wireless is not subject to the same issues because there is a session that is maintained between the AP and the client.

  9. Re:Turn them All on by 99BottlesOfBeerInMyF · · Score: 2, Interesting

    So you have real work to do, but they are a bunch of slackers inventing work because they have nothing better to do. You, sir (or madam), are an asshole.

    You make some valid points (although I think I disagree that port management is a reasonable solution if there are serious usability tradeoffs) but I think you've gone a bit too far with the above. In large organizations such as the user is describing, it is often the case that the stated mission of a particular department does not actually have anything to do with the real goals of the people working there. I've seen my share of IT department projects that have nothing to do with meeting the goals of the company or serving the end users efficiently, but are designed solely to increase body count, keep the department budget high, or demonstrate importance. I've seen them with even more counterproductive goals as well like "make sure our infrastructure doesn't support macs any longer so we can expand our control into the marketing department that is administering themselves right now.

    Further, your name calling is simply counterproductive. Are you sure you're not transferring your anger at someone where you work to the previous poster? He was right to say that the goal of the IT department "should be" to facilitate others getting work done. In truth, in many cases he is right.