Physical port security on Cisco switching

Unanswered Question
Jun 15th, 2009
User Badges:

We have a security problem I would like to resolve. Like most sites our wired network has live ports that periodically, non corporate PCs and laptops connect up to without our knowledge. In our network we do not filter for valid MAC addresses although Ive learned this is a poor approach to security as MAC can be changed in about 10 seconds.

I would like a solution that would validate corporate systems and let them through the Cisco layer 3 switching and block out all other devices which attempt connection. We do not currently have IDS or IPS and are not likely to in short term.

Is there a hardware or software or combination solution out there that works well for this ?


Thank you


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 06/15/2009 - 11:55
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Steve


2 solutions spring to mind


1) 802.1x authentication. Microsoft XP/Vista has built in 802.1x supplicant and Cisco switches support Network EAP used to pass the 802.1x messages. What you also need is an authentication server such as Cisco Secure ACS server although Microsoft IAS server also supports 802.1x.


Basically before a client is allowed access to the network they have to authenticate to the network with valid credentials otherwise the port is shutdown.


2) NAC - Network Admission Control. This goes one step further than 1) whereby the client is also checked to see if it conforms to company policy eg. does it have the right virus checker on it etc.. and if it doesn't the client can be quarantined.


A search on Cisco's website for both NAC and 802.1x will provide a lot of useful links.


Jon

Actions

This Discussion