Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: port security and Switch, unplugging a PC

  1. #1
    Senior Member
    Join Date
    Dec 2004
    Posts
    140

    port security and Switch, unplugging a PC

    I have got Cisco switch 2950 , I have got a PC plugged to port 14.

    Can I configure the switch to prohibit the PC if it has been unplugged from the port 14 and plugged again to the same port ?

    The reason for that if a user unplugged a PC from intranet (internal network) and connected it to an internet port (another switch), and then he/she wants to plug it back to same port on the intranet (internal network) he/she will be denied.

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi,

    I am finding it a bit difficult to visualise your setup, and what activity you are actually trying to control.

    Also, how come that users have physical access to the switch? Even if you have to keep it in an open office environment, have you considered enclosing it in a locked steel box?


  3. #3
    Senior Member
    Join Date
    Dec 2004
    Posts
    140
    Also, how come that users have physical access to the switch? Even if you have to keep it in an open office environment, have you considered enclosing it in a locked steel box?
    They do not have physical access to the switch, but they do have physical access to wall jack sockets, that connect to the switch ports

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Ah! I see, so you have two separate sockets.

    I don't know your hardware so I don't know if it is possible, I guess I would run them all through a server and use permissions to control internet access.

    Can you physically disable the internet sockets, or are you just concerned that some one connects to the net, infects their machine then plugs into the lan? Hard wiring would be a possible simple solution.

    Are the users supposed to be able to access the internet at all?

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    If this were possible it wuld be entirely impractical. What's the difference between the user unplugging the network cable and them turning off their computer? Zero, as far as the switch is concerned. So whenever the user turns their computer on your system would DoS them... Actually, I'm beginning to like the idea...

    I can't think of a feasible way of doing this except perhaps a script that pings your gateway router, (outside the firewall), every 30 seconds or so. If it finds the gateway router then it should disable the NIC. That way you minimize the window of infection _and_ you will get a call from the user when the intranet isn't accessible to them... Which is ammunition in their dismissal...
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi Tiger~ thank God you have joined in. As you know this is not my area other than building it into projects and getting the description and costs into the proposals. Perhaps I should pay more attention to the techies, but when your objective is to keep the project meetings down to a reasonable duration, and keep the hours charged to your budget to a minimum...................

    I really think we need a bit more information on the actual system requirements and the perceived issues here?

    If it is a straight security thing, then I would have thought that you need two networks. A general network and a secure network. The users would have two workstations with two unique IDs, the general network machine could not connect to the secure network, and vice versa, and the secure network would be hard wired, and might even have a different connector?

    I would still consider a physical solution. Two metal devices with a hinge, hasp and lock, attached to the socket and the back of the PC will stop them switching cables? ( a bit like the old pillory or stocks), mess with that and you would be in BIG TROUBLE as it would be undeniably, totally deliberate?

    Mind you, I am talking of environments where the Official Secrets Act took precedent over AUPs

  7. #7
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    I think I can see what you are saying – if a user connects the PC to another switch say on a wireless AP that may not be behind the firewall or if it’s a laptop take it home, they will be able to download something and then connect it back to the original switch and run this freshly downloaded app??

    If this is what you are worried about the best ways to stop it are to use a Group Policy to stop the user being able to install a program in the first place and tie the MAC address to the specific port on the switch – obviously you will have to do this with all ports on all switches and this is not very practical in some/most cases.

    A good practise to do it to not have any unused Wall Sockets connected to a switch port in the first place to prevent someone plugging anything in to the network in this manner and to shut down any unused ports on the switch – if the switch supports this.

  8. #8
    AO Curmudgeon rcgreen's Avatar
    Join Date
    Nov 2001
    Posts
    2,716
    This other switch port, or wall jack that you don't want him to connect
    to, should not be available. Why play cat and mouse? Disable or remove the offending
    jack, or put a surveillance camera there and watch if someone is playing with it.
    I came in to the world with nothing. I still have most of it.

  9. #9
    Senior Member
    Join Date
    Dec 2004
    Posts
    140
    if a user connects the PC to another switch say on a wireless AP that may not be behind the firewall or if it’s a laptop take it home, they will be able to download something and then connect it back to the original switch and run this freshly downloaded app??
    Yes, exactly this is what I am looking for.

    At work I have got in a Lab 20 walll jack sockets for internal network (let us call them internal socket), a one desktop is connected to each socket.

    there are additional another 3 sockets in the same lab , to access internet (let us call them internet socket),,,these sockets are on different switch.

    Some time a user unplug the desktop from internal socket and plug cable to internet socket,,,to access the net.

    They are not allowed to use there own PCs in the lab (i.e. They can not use thier laptop).

    Is there a way to deny the user from connecting back the cable to the original switch if he unplugged the cable from internal socket (original switch) and plugged to internet socket ,,,

  10. #10
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Originally posted here by zillah
    Yes, exactly this is what I am looking for.

    At work I have got in a Lab 20 walll jack sockets for internal network (let us call them internal socket), a one desktop is connected to each socket.

    there are additional another 3 sockets in the same lab , to access internet (let us call them internet socket),,,these sockets are on different switch.

    Some time a user unplug the desktop from internal socket and plug cable to internet socket,,,to access the net.

    They are not allowed to use there own PCs in the lab (i.e. They can not use thier laptop).

    Is there a way to deny the user from connecting back the cable to the original switch if he unplugged the cable from internal socket (original switch) and plugged to internet socket ,,,
    Hey Hey,

    I'd suggest setting port based authentication... Specifically port security via MAC Address with shutdown mode... Register the valid Desktop MAC Addresses with the switch and if anything else is plugged in that port will shutdown, generate a syslog message, and the LED will indicate an error... You will then manually have to re-enable the port...

    Another, possibly better, solution would be to implement 802.1x... Set it up on the switch and then pre-authenticate each of the Desktop machines... They'll all work on the network but if another PC is plugged into one of the ports, it won't be authenticated and won't function... just ensure the users don't have access to the credentials... (which should be easy in a properly secured lab).

    Peace,
    HT

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •