I am the lead network admin at our site. We have a fairly large LAN -- about 1700 workstations, 250 servers, 100 workgroup switches, etc.
We have disabled all unused switch ports, but still have occasional problems with users unplugging workstations and plugging in laptops. We haven't had any real security breaches (viruses, worms, etc) - YET, but I realize we've been fortunate.
We are considering enabling port security on all the switches, but I have some concerns about the effort to implement and then maintain this architecture. Do you have any thoughts or advice?
QUESTION POSED ON: 12 JUL 2006
QUESTION ANSWERED BY: Mike Rothman
It all gets back to how much administration overhead you want to accept. By locking certain devices to certain ports, you complicate your moves, adds and changes process -- which may or may not be a bad thing. It will certainly require more management, but it also prevents the kind of issues you are describing.
There are overlay products that can plug into your switches (over a spanning port typically) and track "unknown" machines. These so-called pre-admission NAC devices provide a bit cleaner management, but do cost money and require that you manage another device.
As with everything else, it's a trade-off. Most folks just do nothing and hope that they can trust their internal employees to do the right thing and not use the corporate network for malicious intent.
|
|
|
