For or Against: Port Security for Network Access Control
I had an interesting discussion tonight with fellow handler Manuel on the pros and cons on port security as it relates to Network Access Control. I thought it would be interesting to see where others in the security field stand on the issue. Is it worth the effort or not? Is it a valuable tool in Defense in Depth? Here are some of the For and Against arguments we discussed:
For Arguments:
- Stops others from being able to plug into your infrastructure, they would have to search to find a port that has not been configured correctly
- Can audit logs to determine if empty ports are turned on or off
- Can alert you more quickly to rogue devices being plugged into your infrastructure
- Not a perfect solution but should be part of your defense in depth solution, its not meant to be a "stand alone" solution
Against Arguments:
- If you fake the MAC address to the host, you are in
- Insider/outsider threat is great since physical security to equipment is not well controlled in many organizations
- Have to take into account failover scenarios or you can DoS yourself
- Hard to manage large number of switch ports to ensure they are configured correctly at all times
So, is port security worth the effort or do many of you find its too time consuming and the benefits are not that great? If you using it and have tips for successful implementation, please share them so others can benefit. It is Cyber Security Awareness Month and this would be a good opportunity to help educate each other on issues you have encountered with port security or how it has helped protect your organization.
Comments
Anonymous
Oct 13th 2014
9 years ago
If you're in a situation where you're facing "a large number of switch ports", you should also have the budget for centralized management solutions like Cisco Works or similar, which allow for automated baseline configuration audits.
Anonymous
Oct 13th 2014
9 years ago
In my prior job in the military, port-security helped identify and track down rogue pc's andnetwork devices not authorized to be on the network. This provides undeniable proof, via mac address, that a pc was connected or attempted to connect to that port. This helps greatly when users try to bring their personal pc's into the office thinking that they can just connect to the network. Many computers and networks are compromised by users unknowingly opening a back door, such as an infected PC connecting to a trusted network.
While port-security does have it's complexities and management overhead, there is definitely the need for it. Security/Network Engineers get paid to be safe and protect the network, not to make their job easier.
Ken
Anonymous
Oct 13th 2014
9 years ago
Anonymous
Oct 14th 2014
9 years ago