Port Lockdown

Printable View

April 14th, 2003, 01:46 AM
tonybradley

Port Lockdown

A customer of mine has hundreds of sites, thousands of servers and tens of thousands of workstations/ desktops. There are policies and procedures and guidelines that dictate firewall policy to protect the perimeter, what services are or are not allowed, what antivirus software will be used, how often it will be updated and more.

We have a recoccuring problem with rogue systems being plugged into the network. These systems tend to be unpatched and unprotected- no antivirus software and open to well-known vulnerabilities. It usually takes about 5 minutes for one of these machines to get infected with Nimda or CodeRed or something else like that still flooding the Internet with infected traffic.

It tends to pose a minimal, but annoying problem because if our other systems are patched as they should be the threat can't really spread. But, inevitably we find other systems that somehow missed a patch or an update and the threat does spread, albeit slowly.

To prevent this, it occurred to me that *ALL* unused ports on *ALL* switches should be shut down. If we did that, any user who had to add a server or workstation to the network for any purpose would have to go to a network administrator to get the port activated giving us a single point of contact that we could use to screen the systems and ensure they are patched and protected before going on the live network.

Can anyone come up with alternate solutions or tell me why my solution won't work- either technically or logistically? It seems logical, but it seems too easy to be the "right" answer.
April 14th, 2003, 02:22 AM
s7master

Well there is a reason this wouldnt work, you would have to block outgoing ports and incoming wouldnt affect much if we are talking about transmission. For example, when your browser sends a request it sends the request from a port > 1024 and it is received on port 80 or 443 or whatever. If you blocked unused ports it would block all transmission. Well those are my thoughts, I may have misunderstood but good luck.
April 14th, 2003, 02:34 AM
phishphreek

Quote:

I may have misunderstood but good luck.

I think he is talking more about ports on a switch. Like with VLANs.

We have done something similar. I don't have really good switches so I couldn't do it via switch software. What I did, was pull any network cable from any port that wasn't being used. If I need to add a workstation, I reconnect the ethernet cable. If someone is really getting on my nerves... pull the ethernet cable and go to lunch... ;)

Seeing that you have so many clients... if you could do it via software, that would be much better.

I have a small network, so its not really a pain to just disconnect the cables to make the port inactive.

Too bad you can't just restrict it by MAC address... but it might be even more of a pain to find all the authorized MAC addresses... I came up with this idea when relating it to WLANs, or WAPs. You can restrict by MAC address... so not just anyone can connect to the network.

On second thought... all someone would need to bypass this is a hub or switch... VIOLA. One port becomes 5 or 8... ;)

Maybe authenticate somone against the MAC table in the switch? VLANs?
Just an idea... I'm still learning VLANs....
April 14th, 2003, 01:21 PM
Tiger Shark

Er, Tony..... Maybe I'm missing something but.........

If your client has strict rules regarding ACL's at the firewall how on earth are these rogue machines getting infected with code red/nimda.

It strikes me that port 80 traffic should be limited to those servers providing http service. If you are allowing port 80 in wholesale I would suggest that this is something you should stop. Big job I know but better that than free access to a whole network with the service that is most commonly attacked.

As for stopping the rogues being set up I think you will find that this is one of those problems that requires an administrative solution rather than a technical one.

RULE 1: Any person connecting computer resources to the network without the prior written permission of the IT Director or his designated deputy(s) will be subject to disciplinary action up to and including termination.

RULE 2: There is no rule 2.

RULE 3: Ignorance of the content or existence of rule 1 is not considered a valid excuse for not abiding by it.

There, that about covers it....... ;)
April 14th, 2003, 02:28 PM
d0ppelg@nger

tony.....what kind of switches are these? Cisco and I would think other's also allow you to do MAC based security on every port. You trun it on and the first system plugged into that port becomes the only system to be allowed to utilize that port. You can also specify the MAC's on each port if you wish. The command is something like this

CAT OS:
"set port security <mod or mod/port> (age/disable/enable/maximum/shutdown/violation/ <mac_addr>)"

IOS Based:
"interface fastethernet mod/port
switchport port-security (aging/mac-address/maximum/violation)"