internal LAN port security/network security

Unanswered Question

We currently use NAC/VPN to protect our LAN from outside users coming in....we need a solution to protect the LAN from inside as well. We have a enterprise VOIP soulution so port/mac security is not an option for now. We want to protect against a person inside the LAN from disconnecting a PC then plugging in a laptop or WAP and getting an IP via DHCP...I am looking for solutions and ideals...best practice ETC.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
yjdabear Tue, 04/07/2009 - 07:15

Do the VOIP phones support 802.1x? Even if the IP phones don't, empirically speaking, one could still get the desired result via 802.1x MDA (Multi-Domain Authencation) such that only the PC is challenged by the authentication server, while the phone is not, with MAB (MAC Address Bypass). See this doc for all the options, in a Cisco-centric LAN:

http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns171/CiscoIBNS-Technical-Review.pdf

Thanks for the quick response. We have mainly Avaya 9630 phones

802.1X support - forwarding and supplicant. The 9600 Series telephones support several modes of 802.1X operation that include supplicant operation for true authentication of the telephone, pass-through of 802.1X messages for authentication of an attached PC, and a multi-supplicant mode in which both the telephone and the PC can be authenticated.

I am mosty concerned about a vendor or anyone wanting to do harm unplugging a inside trusted PC and then getting a DHCP address and access to our inside network. We are looking at using the voice vlan command and mac address port security. I am reading through the document now. All the PC hang off the VOIP phone.

Thanks

Actions

This Discussion