Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Do You Handle Ethernet Port Management?

Posted by ryuzaki0 on from the that-thing-that-looks-like-a-phone-jack dept.

MTL-Stalker asks: "I am currently investigating the best way to handle Ethernet port management for an organization with over 75,000 Ethernet ports spread out over 700+ sites. I was wondering how members of the Slashdot community are handling this issue in their organizations? Obviously this is as much a business process issue as a technological solution. In today's threat-filled networks, it seems like asking for trouble to rely on a simple switch based 'port enabled/port disabled' methodology. Do you think Cisco-style port security (tying a MAC address to a particular port) or PACLs (port access control lists) are worth the effort? Are products like Cisco Campus Manager or HP OpenView worth the cost and deployment headaches? Do they address your security concerns? How many of you are using homegrown scripting and/or SNMP solutions? How many ports can you effectively manage with these solutions? I would also be interested in knowing what industries these solutions are being implemented in."

33 of 133 comments (clear)

  1. Re:My dad's solution by Harry+Balls · · Score: 4, Insightful

    The OP is talking about physical Ethernet ports, not about TCP or UDP ports.

    --
    Dedicated Linux servers (root access) $45 p.M.
  2. What about 802.1x security ? by CineK · · Score: 3, Interesting

    This way you could tie particular users to their VLANs, not the machines to the ports, which can be quite annoying when a user wants to change his/her desk.

    802.1x should be combined with some decent endpoint security solution
    (see recent Gartner reports on this)

    HTH

    Marcin

    --
    -- echo '[q]sa[ln0=aln256%Pln256/snlbx]sb31350717901017685 42287578439snlbxq'|dc
    1. Re:What about 802.1x security ? by Philip+K+Dickhead · · Score: 4, Informative

      VLANs can be a headache too - especially with 802.1x, which requires replacing your existing access layer switches with 802.1x capable ones. You DO get the benefit of integrating your wireless access infrastructure with the copper stuff.

      Are yu all/mostly Windows (2000+)?

      Look closely at Windows Domain and Server Isolation. It is an IPsec based infrastructure security solution, all managed with existing infrastructure. The IPsec policy agent is on the OS, and policy is easily managed centrally by Active Directory and Group Policy. It really is great - and can interop with other IPsec stacks like Linux and Solaris. The default auth mechanism is Kerberos - but x.509 can be used in parallel for interop. Kerb is dead easy.

      If this is even only an 80% solution, it should be explored. There are no hardware costs in most cases, it can be phased in without field visits, and you probably already own it.

      http://www.microsoft.com/technet/security/topics/a rchitectureanddesign/ipsec/default.mspx

      I wish that one of the big Linux vendors would do something like this with IPsec and OpenLDAP. We have spent years matching the desktop, when developing advanced infrastructure management is where the winning game has moved.

      --
      "Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
    2. Re:What about 802.1x security ? by maxhead · · Score: 3, Interesting

      Actually, you do not necessarily have to replace the access layer switches to enjoy dot1x. Placing a dot1x-capable switch upstream that supports mulitple logins on a single port can be an intermediate step and bring most the benefits.

      In general, I advise customers to lock down every port in their network with 802.1x and to provision guest VLANs that are GRE-tunneled to a switch in the DMZ. This segregates all the guest traffic from corp traffic at L2 so the only way for a guest to access local corp servers is via the internet and back through the corp firewall rules.

  3. Guest-Intruder VLAN by chill · · Score: 5, Informative

    I've always had good luck with not necessarily tying a MAC to a port, but rather a list of approved MACs. MAC not approved gets automatically shunted to an isolated VLAN. If they bring up a browser all they see is a "welcome guest, call IT" screen. Both Cisco and HP switches can do this.

    --
    Learning HOW to think is more important than learning WHAT to think.
    1. Re:Guest-Intruder VLAN by Anonymous Coward · · Score: 5, Funny
      I've always had good luck with not necessarily tying a MAC to a port, but rather a list of approved MACs.


      You guys always try to do things the hard way. For true ethernet port management just use this.
    2. Re:Guest-Intruder VLAN by Anonymous Coward · · Score: 2, Interesting

      I skip trying to keep track of MACs (too easy to forge), in fact I skip Ethernet level security almost entirely (too much to keep track of).

      I say "almost", since I do have each switch trunk a separate VLAN to each port (to keep them isolated), and I have the switches filter everything except PPPoE. The switches are managed through a physically separate control plane network, where extensive security is in place. Various systems monitor the control plane network in detail, all traffic on that network is recorded to worm, and the entire network area is shut down if any anomaly is detected(i.e. any attempt to contact port 80 on anything results in a building lock-down, since there is no reason web traffic would exist on the control plane). The control plane is not reachable from the regular network, any user-facing ports, or the Internet.

      On the forwarding plane, users must establish a PPPoE connection to reach the VPN concentrators, and then must establish a L2TP or PPTP tunnel to access the intranet or the Internet. All traffic from the VPN tunnels is forced through firewalls and IPS/IDS systems, before being allowed on it's merry way. Inbound connections to user systems are prohibited, unless the individual user's profile permits limited access. Since nothing can be done, except through the VPN tunnels every packet gets examined. Management of the PPPoE concentrators, VPN concentrators, routers, firewalls, and network control/monitoring servers is again isolated to the control plane network.

      Isn't that a lot of overhead? Yes it is.
      Does the network yield maximum performance? Not by a long shot.
      Is it inconvenient? Quite.
      Expensive? you bet.

      But, it is rather secure, and quite homogeneous, making security management's job much easier. No pesky individual Ethernet ports (or wireless APs for that matter) to deal with, just a database of user profiles, and standardised configuration templates.

      -e

    3. Re:Guest-Intruder VLAN by computational+super · · Score: 2, Funny
      Where do you work, the NSA?

      No, actually that's just his dad's home network.

      --
      Proud neuron in the Slashdot hivemind since 2002.
    4. Re:Guest-Intruder VLAN by cybrix · · Score: 3, Funny

      Is that what they use for broadband over powerline?

  4. Serious business by voice_of_all_reason · · Score: 3, Funny

    The internet: Homework Help for both teenagers and network administrations :)

  5. mac security by v1 · · Score: 3, Insightful

    Given how easy it is to change your mac address, (I can do this at will on my ethernet AND wireless) I would hope no serious security system relied entirely on that one factor. We have to assume the serious criminals have all the easy angles covered.

    --
    I work for the Department of Redundancy Department.
    1. Re:mac security by theLOUDroom · · Score: 2, Interesting
      Given how easy it is to change your mac address, (I can do this at will on my ethernet AND wireless) I would hope no serious security system relied entirely on that one factor. We have to assume the serious criminals have all the easy angles covered.

      Let's go a little further than that:
      MAC addresses are not a secure authentication method. It's like asking someone's last name.

      Let's say I'm joe blackhat with a laptop:
      1. I unplug a PC
      2. I plug that ethernet cable into my laptop.
      3. It grabs the mac address of whatever was plugged in.
      4. I plug in my laptop with that new mac address.


      If you automate it, we're talking a matter of SECONDS here.

      Security of this type is s total joke. There are right ways to protect a network and this is not one of them.
      --
      Life is too short to proofread.
    2. Re:mac security by jonadab · · Score: 2, Insightful

      Given how easy it is to change your mac address

      The question isn't how easy it is to change your MAC address, but rather how easy is it to find out what to change the MAC address to. (I'm not sure it's that much harder, though, assuming a device that's normally plugged in is present so you can snoop on it.)

      > I would hope no serious security system relied entirely on that one factor

      No serious security system relies on *ANY* one factor.

      Tying a MAC address to an ethernet port doesn't solve all security-related problems, but it does help somewhat with the specific problem of employees just being generally far too careless about what systems they plug into the LAN, which *can* be a siginficant thing, in some situations.

      Obviously you will still want other forms of security.

      --
      Cut that out, or I will ship you to Norilsk in a box.
    3. Re:mac security by Alioth · · Score: 3, Insightful

      A large proportion of break-ins (particularly malware type break-ins) are not due to malice: quite often they are because a contractor/employee brought in their personal malware infested laptop and saw fit to connect it to the corporate network. Nearly all the problems I've seen on company networks are not due to malice but due to people doing silly things like this.

      A huge number of corporate network problems can be solved just by keeping the honest people honest with things like MAC address approval.

      --
      Oolite: Elite-like game. For Mac, Linux and Windows
  6. RADIUS by Lehk228 · · Score: 3, Interesting

    i would suggest using a RADIUS login to manage user access

    since RADIUS was originally designed for ISP's managing users it is good dealing with hostile clients and other riffraff as long as you are on a switched network

    --
    Snowden and Manning are heroes.
  7. Too easy... by __aaclcg7560 · · Score: 3, Funny

    One port at a time! The best part is that you don't need to be an MCSE tech to figure that one out.

  8. Why? by Dolda2000 · · Score: 3, Funny

    I'm not exactly in charge of any large area networks, so I'm probably just ignorant, but why would you want to limit physical Ethernet access to begin with? All your actual services are properly authenticated, aren't they? Is it for DoS prevention or proactive security or something completely else?

    1. Re:Why? by Intron · · Score: 2, Insightful

      The one thing you might do is watch the traffic for MAC addresses that contain the manufacturer id for Linksys, NetGear, etc. to find unauthorized WAPs.

      --
      Intron: the portion of DNA which expresses nothing useful.
  9. Netdisco by arnie_apesacrappin · · Score: 4, Interesting
    As far as port management goes, you may want to look at Netdisco. If I recall correctly, UC Santa Cruz was using it to manage about 20K ports. It's open source, so you so should be able to customize it for your environment. I haven't run it personally, but the demo looks impressive.

    When considering how to secure the ports, I think you have to find the balance between security and functionality. If you lock down each MAC to a specific port, how much time will you spend managing it? Whenever there is a connectivity problem, will you have to fight with the other groups assuring them that it isn't the network?

    As a final thought, you generally get out of a network management system what you put into it. With a network as large as yours, there isn't a silver bullet to fix all of your problems. Whether you customize, roll your own or use vanilla off the shelf software, you need to figure out what makes the most sense for your business. Good luck. It sounds like you need it.

    --

    Still, with a plan, you only get the best you can imagine. I'd always hoped for something better than that. -CP

  10. Gotta use tools by StarWreck · · Score: 2, Informative

    With big jobs you have no choice but to use some highly specialized tools. It sounds like the Testum Network Management Tool would be useful.

    It'll help you figure things out a lot easier. It also does a lot of other nifty things that could become useful when you need to expand the network.

    --
    ... and in the DRM, bind them.
  11. Poorly by Sycraft-fu · · Score: 3, Interesting

    Well, that's the truth for our orignization. You don't want ot know how we do it. What you should look at for that scale, is probably dynamic VLANs. Cisco has good solutions, I'm sure you can find vendor neutral ones as well, but I'm the kind of guy who will push a Cisco solution in general. At any rate the basic idea is that when soemthing gets connected it's MAC is checked and then a VLAN is assigned to the port based on it. So no matter where a computer is connected, it's in the same area network and security wise. This also means that unauthorized computers can be put in a nothing VLAN with no access.

    It's not a magic bullet security wise, but it really makes management easy. You want all your engineers in a given VLAN, just assign their MACs to it. Then if one goes to a new office and nobody tells you, doesn't matter the hardware takes care of it for you.

  12. How do you support vendors? by bhmit1 · · Score: 2, Interesting

    Luckily I haven't run into any clients that have gone to port level security, but I'm curious how well I'd be supported by those that have already setup such a system. For those that have already done this, how well do you support consultants and vendors that show up with their own laptops preloaded with all their own tools who need access to important servers? Do we have to wait for a network login (likely a domain account) and install some kind of app? What about the ones who's PCs are configured for another companies network and cannot be changed (e.g. we don't have Admin on our own laptop) or if we show up running Linux? Myself, I have root, but it's on linux. So, being independent, I'm wondering if I should include a clause in my contract to cover environments that lock me out.

  13. Huh? by StarKruzr · · Score: 2, Funny

    I don't get it. Your dad does this to your house?

    --

    +++ATH0
  14. Good maps and schematics... by Fallen+Kell · · Score: 3, Informative

    Well, first thing you want to have are good site network layouts in a CAD program, preferably done in scale. Do not worry about every single wire (it is nice though at least for the pulls from the floor to the closet's patch panels) but get the major items, devices, and closet feeds.

    As for what connects where, well, that needs to be part of your asset management system to be really effective. Some type of database which contains records for each class of object (like computers, servers, switches, routers, etc., which also has fields for location and network port connectivity. Obviously you would want a relational style database, with one to many relationships for network connectivity since you may have multiple network interfaces on different devices. Now the hard part, actually making this part of your processes. You need to have this updated, and really the best way is to make sure that people have to go through the process in order to get on the network. What this means is that you absolutely must use something like "port security". If regular people can move a system from one location to another and just disconnect one device and connect this one and it works, you will never be able to keep any tracking/management system up-to-date. It will be up-to-date for a whole 5 minutes after you do an inventory of that cube/office/location before someone somewhere decides that they are taking over the room down the hall because it is closer to the window, or is next to the exit...

    I can't state that enough, you need to FORCE EVERYONE TO USE THE SYSTEM. If one person doesn't use it, then everything he/she does will be under the radar and not detected which makes having such a system pointless because it doesn't contain valid data, and you might as well have done "/dev/random > my_network_layout".

    --
    We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
  15. 75k ports by bockafer · · Score: 2, Funny

    They are all on VLAN 1 aren't they?

  16. Re:Turn them All on by swordgeek · · Score: 4, Insightful

    My choices here were to mod you down, or to reply. I'm chosing the high road, I think.

    Your suggestion has merit--turn on the damned ports, let people plug in, and get work done. Lower admin overhead, faster response for the end user, and everyone can get on with their work.

    However, you seem to have an attitude problem, and I suspect it takes three days to get you on the network because nobody really gives a shit if they get around to doing your bidding. Doing work for people who believe they know your job better than you do is about as much fun as slicing open veins, and rather less satisfying. MAC address-based port connections may not be the perfect security solution, but they are one powerful layer in a multi-tiered environment, and they're absolutely not a toy. Consider: People bring personal laptops to work, plug in to the LAN, and a virus spreads because the primary virus scanners are at the perimeter firewall. The ENTIRE FUCKING COMPANY is now down for between six and 72 hours. Oh, but that's OK because you didn't have to submit your laptop for scanning, and could start working immediately. Clearly your work is more important than anyone else's in the whole company.

    Here's another scenario: A company has a mixed user environment of PCs and Unix workstations. We can declare that every port is enabled, but what ports are enabled on which network? What if the networks are split by division?

    Contrary to what your fantasy world might suggest, IT is NOT there to block your progress! They want to get things up and running as fast as possible, and with as little overhead for themselves as feasible. Opening all ports in a moderately large company is neither feasible nor intelligent.

    I think that you pretty much defined yourself as a legitimate troll (note: Not your post, but YOU) with this comment:

    "I am so tired of the IT group doing huge make work projects in the name of security/scalabilty/Enterprise/CRM/blah blah blah. What a bunch of crap. You know us users out here... We really do have work to get done."

    So you have real work to do, but they are a bunch of slackers inventing work because they have nothing better to do.

    You, sir (or madam), are an asshole. I predict for you a long and frustrating career of nobody doing what you want, just for the sake of pissing you off. Good riddance.

    --

    "People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
  17. 802.1X attack by swmccracken · · Score: 2, Interesting

    Actually, 802.1X (on wired ethernet) can be attacked - read this. Yes, it is on Microsoft.com, but nothing in the article is specific to Microsoft technologies.

    Now, this is definitely a deliberate attack (not an innocuous vendor just plugging in their laptop to check their email) but it is possible.

    (You insert a hub between a legit computer and a legit switch port. You connect your attacking computer to the same hub, configure your attacking computer to have the same MAC, wait for the legit computer to authenticate which opens the switch port and off you go, subject to some caveats as mentioned in the article.)

    They recommend IPSec as it authenticates each packet. 802.1X on wireless is not subject to the same issues because there is a session that is maintained between the AP and the client.

  18. Incredibly Easy To Discover MAC Addresses by patio11 · · Score: 2, Informative

    1) Visually inspect one known-good piece of equipment. At my organization, for reasons which are beyond me, they're printed on every laptop (along with my username and static IP address). They're also frequently printed on the physical network card. So if a computer is in a physically non-secure location (guest-accessible computer, laptop stolen, laptop taken in for repairs by Geek Squad instead of IT, laptop taken home, etc etc) thats a vulnerability.

    2) Socially engineer a wireless mac address. Go to any location frequented by the workers at your target institution -- say, the cafe across the street during lunch hour. Open a wireless hotspot with a name like "Roadkill Cafe Wirless Network" and don't require any sort of authenticiation. Take mac addresses off the logs, then return to the target institution and try until you find one that works. (Hopefully they don't have their wireless addresses and their wired addresses be the same... but I've seen it done before, by lazy IT types).

    3) Call and ask somebody. "*ring ring* Hiya, Suzy, this is Bob in IT. We're having some problem with the router covering your workgroup. Have you noticed any problems? No? Thats great. We put through some fixes on our end and I need to be sure that they took. Could you please hit your windows key and R at the same time? Type in command, hit enter. See a big black box? Type in "getmac". Yeah, I know, its funny to say Get Mac on a windows machine, those quirky programmers, what can I say. OK, could you read me the group of numbers and letters with the dashes in them that you see on the first line? OK, thats what I'm showing on this end too. Thanks Suzy, you're all set. If you have any problems you know who to call."

    4) Sniff it out of the air (again with the wireless vulnerabilities).

    5) If you can compromise any machine on the network "arp -a " gets you the MAC address of anybody you can see. I'm fairly certain you can accomplish this via ActiveX control (a quick Google found one), and also fairly certain you can not do it by Java applet.

    Obviously, these are intended to tell you what you need to look out for securing your network, not for breaking into someone else's. Now if you'll excuse me I have to explain to a boss on why the whole "mac address printed on the laptop" is unwise.

    --
    Help poke pirates in the eyepatch, arr.
  19. Re:Turn them All on by LabRat · · Score: 2

    Clearly spoken by someone who has never had to work until 3am cleaning up a network that has been infected by some idiot saleman who thought bringing his personal laptop in from home was a good idea. Obviously anti-virus software goes a long ways..but in sudden outbreaks like Nimda, SQL slammer, and friends...day-zero exploits have to be stopped at the access level and that is only possible when reasonable access control is present along with solid use policies that folks actually adhere to. Sorry if you consider that "inconvenient"..but until YOU actually are the one who has to clean up the messes, I'd keep your holier-than-IT attitudes to yourself. Just a random thought...

  20. ONA - Open Network Administrator by jsellens · · Score: 2, Informative

    You might want to check out ONA - Open Network Administrator from Bruce Campbell at U of Waterloo. And his paper from the LISA 2005 conference.
    http://ona.uwaterloo.ca/

  21. simple by Keruo · · Score: 3, Funny

    Use epoxy. Just mix the two compound and fill in un-used ports.
    Great securitywise but kinda limits future expanding.

    --
    There are no atheists when recovering from tape backup.
  22. Migration path: manual-scripted-RADIUS-802.1x by kalvyn · · Score: 4, Informative

    I just recently stopped working for a government agency and I was responsible for managing port security on about 6000 ports. Our current end-game solution is to use 802.1x, however due to certain regulations, our agency couldn't operate a CA, so we couldn't feasibly request a new certificate for each host everytime one completes an accreditation process. But we were implementing everything else until we could get there.

    Our short term solution is to standup a RADIUS server and use it for port-security. This isn't quite as good as 802.1x, but provides the same level of scalability without going as much in-depth. You bascially have your switches (assuming they have this ability) check the radius server for allowed MACs. This works the same as the MAC ACLs, but is centrally managed. We haven't gotten that far yet either, as we didn't have a RADIUS server. (more stupid regulations that make that a headache)

    So, the current process is to manually change the MAC address on each port on each switch. We initially turn on port-security on the switches, and for the newer ones (Cisco 3550/3560/3750) once we determine that all the users are on that need to be on, we drop all other ports into a dead-end VLAN that has no access. The remaining ports we drop into our data vlan (we also have dedicated vlans for voice, wireless, video, and infrastructure management). Once we've established that, we secure the MACs to the ports. All port security violations are logged to a syslog server and the switches are set to restrict access. This prevents useless work of re-opening ports when some user decides to plug-in their home machine to download the latest Linux ISOs or torrents. For further changes (i.e. when a new machine gets put on the network), a call is made to the helpdesk which routes the ticket to the networking team (that's me) and I unlock the port. We then have to notify the security team, which scans the machine for vulnerabilities and applies patches as needed. After that, it is managed by WSUS and SMS.

    Now this sounds very tedious, but it isn't that difficult to manage. For the last 2 months, I managed all port security by myself, as well as down network links, some remote office firewalls, and new switch installs. Port security helpdesk tickets were typically closed within 2 hours of the request (assuming the helpdesk tells me about them). As a bonus, and because I'm lazy, I wrote some scripts for WSH that will connect to a switch, get a listing of all port-security information, compare it to DHCP leases on Windows servers, and output a table that shows which host is on which port. I also expanded this for use on WAN links where it will recursively access all switches at a site, stopping when it reaches a router and display the same information on a per-switch basis. A pretty handy report. Useful for telling you which hosts aren't using DHCP (so you can ensure they belong there). The only real requirements for this to work are that the switches use CDP on infrastructure links and they support ssh. You also have to have a CLI ssh client that supports putting the password on the command line (or certificate based auth if you can set that up, I don't think Cisco devices support it, although I think kerberos works :)

  23. Re:Turn them All on by 99BottlesOfBeerInMyF · · Score: 2, Interesting

    So you have real work to do, but they are a bunch of slackers inventing work because they have nothing better to do. You, sir (or madam), are an asshole.

    You make some valid points (although I think I disagree that port management is a reasonable solution if there are serious usability tradeoffs) but I think you've gone a bit too far with the above. In large organizations such as the user is describing, it is often the case that the stated mission of a particular department does not actually have anything to do with the real goals of the people working there. I've seen my share of IT department projects that have nothing to do with meeting the goals of the company or serving the end users efficiently, but are designed solely to increase body count, keep the department budget high, or demonstrate importance. I've seen them with even more counterproductive goals as well like "make sure our infrastructure doesn't support macs any longer so we can expand our control into the marketing department that is administering themselves right now.

    Further, your name calling is simply counterproductive. Are you sure you're not transferring your anger at someone where you work to the previous poster? He was right to say that the goal of the IT department "should be" to facilitate others getting work done. In truth, in many cases he is right.