port security and Switch, unplugging a PC

Hmmm,

As far as I know a "switch" is a pretty simple device for handling connections, and is not really a security tool. I would expect that the answer to your question is "no", as the switch is probably not sophisticated enough to spot the difference between a machine being logged off or just powered down. And connected to another switch, then reconnected.

I would say that you need servers to monitor and control this.

If your connection to the internet is NOT through a server, then you have a big security hole. I do not know what sort of logging you have on your intranet and internet at the moment. We would need that information to suggest a practical and cost effective solution.

I have some questions:

1. Which machines are actually ALLOWED to use the three (3) internet sockets?
2. Are they part of the twenty (20) in the laboratory?
3. Under what circumstances is internet connection allowed?

I am still attracted to a physical solution ;)

You can get small, lockable, metal boxes that mount on the wall.

They are meant to hold master keys or whatever, and you usually see them on the wall in the security guard's office?

Cut out the back, and attach them over the internet sockets. Then if anyone wants to use them, they have to come and ask, and sign for the key?

Please remember that there are two connections to a PC, so the wall socket can be bypassed by another cable from the machine.

Hey!, how about other vulnerabilities?

1. Do your machines allow 3.5" floppies?
2. Do your machines allow DC and DVD drives
3. Do your machines allow USB connections.

Please give us a bit more information on your situation and requirements.......we will try to suggest a security solution :)

HT already has posted the best security solution.

Use port level authentication.

In other words only a PC with the specified MAC address can operate on a certain port.

Hence if a user unplugs a PC and takes it to the socket where the Internet is connected to, when he tries to plug it in the switch will recognize that is has a different MAC to the PC that should be connected and will close down the port until it is administrativley opened again.
Problem solved.

If there are any wall outlets that are connected to the switch still but are not being used - disable/disconnect them.

Quote:

---

If your connection to the internet is NOT through a server, then you have a big security hole

---

Why?

All my internet connections use either via a Firewall, Router with ACL's, Websense box etc in some cases all of them - it does not have to be through a server to be secure at all.

Quote:

---

a "switch" is a pretty simple device for handling connections, and is not really a security tool

---

A switch can also be a very good security tool if configured properly - it is the first thing that is used when connecting to a network internally - hence it now becomes the first line of defense so to speak. Yes it can't be soley relied upon but it can still be and extra 'aid' and a very valuable aid, in securing a network.

Quote:

---

if anything else is plugged in that port will shutdown

---

Thanks for this advice, I guess you are talking about anyother PC to be plugged to a specific port.

What I am looking for is: the same PC , if it is unplugged from a specific , it should not have been plugged again to the same port .

You wont be able to do that as unplugging it from a port is no different from turning the PC off as far as a switch is concerned. What you can do is to prevent it from being plugged in to anyother port on your network - using the port authentication protocol mention in mine and HTregz's posts.

There maybe some script your could employ that disables the NIC if is senses that a cable has been unplugged - but writting that is a touch over my head!

Quote:

---

and is not really a security tool.

---

Damn, I use mine as one. ;) Can you think of another tool, besides a router that has limited ports available, that can limit "physical" access to network segments? Example... only those comming in on port 1, 3 and 5 can access port 9. Perhaps port 9 has a VPN device on it so when a certain say... URL is typed in a browser the pathway uses the VPN versus the normal gateway but only to a specific goup of peeps.

Quote:

---

Originally posted here by nihil
Hmmm,

As far as I know a "switch" is a pretty simple device for handling connections, and is not really a security tool. I would expect that the answer to your question is "no", as the switch is probably not sophisticated enough to spot the difference between a machine being logged off or just powered down. And connected to another switch, then reconnected.

I would say that you need servers to monitor and control this.

If your connection to the internet is NOT through a server, then you have a big security hole. I do not know what sort of logging you have on your intranet and internet at the moment. We would need that information to suggest a practical and cost effective solution.

---

nihil,

A switch is one of your most important aspects of security... with VLANs, 802.1x, Port Authentication, Port Security, with switches above the 2950 (for example the 3550) you get the ability to define ACLs, etc... Cisco puts a lot of emphasis on security through switches...

As for servers to monitor and control this??? Servers a complex entities... introduce something too complex into your scenerio just gives room for more holes and problems... Now 802.1x would most likely have a back-end RADIUS or TACACS server... but nothing that your information is directly passing through.... Using servers directly in line of network communication is something that Windows Admins that don't know other hardware do.

There are better and more effective ways to accomplish logging... as for your Network Security.... it should be done by Networking Devices..

As for the OP of this thread... the realistic suggestions have been made as far as switching security is concerned... They require a bit of work and playing around will but will do what is required... he sounds like he wants an easy fix...

If he doesn't want the natural and available network security then nihil's suggestion of lock boxes over the jacks is the next best solution.

I suppose you could also use Network Access Quarantine Control available with W2K3 and IAS but that's generally for remote users.

Peace,
HT

or maybe manufacture your own patch leads for the 'internet sockets'
RJ11 plug instead of RJ45 ?
[PC < - RJ45 --------- RJ11 -> internet socket]
[PC < - RJ45 --------- RJ45 - >Intranet socket]

In several factories I worked in [in my previous life as an electrician], to prevent loss of plug tops
the factory fitted 13A sockets with square L and N pins but a round earth pin

just a variation of a theme

Quote:

---

Specifically port security via MAC Address with shutdown mode... Register the valid Desktop MAC Addresses with the switch and if anything else is plugged in that port will shutdown, generate a syslog message, and the LED will indicate an error... You will then manually have to re-enable the port...

---

My understandin to what you are saying (switch port security using MAC address not 802.1x), is : (correct me if I misunderstood) :

If I have got two PCs 1, and 2 with PC1 MAC addresses 18-00-46-06-FB-B6, and PC 2 MAC addresses : 200-08-74-4D-8E-E2. PC 1 is connected to SwitchA fa0/4


1- SwitchA(config)#mac-address-table static 18-00-46-06-FB-B6 interface fastethernet 0/4 vlan 1



2- To allow the switchport FastEthernet 0/4 to accept only one device I have to enter port security as follows:
SwitchA(config-if)#switchport mode access
SwitchA(config-if)#switchport port-security
SwitchA(config-if)#switchport port-security mac-address sticky


3- In the event of a security violation the interface should be shut down.

SwitchA(config-if)#switchport port-security violation shutdown

4- If I unplug PC1 from switchA fa0/4 and plug PC2 (or any other PC) instead, yes there is security violation since the MAC address for any other PC is not as MAC address for PC1.

5- If I unplug PC1 from SwitchA fa0/4 and Plug it to any other device (switch, router, PC) and then Plug back PC1 to switchA fa0/4 , there is no security voilation.

Quote:

---

Originally posted here by zillah
Yes, exactly this is what I am looking for.

At work I have got in a Lab 20 walll jack sockets for internal network (let us call them internal socket), a one desktop is connected to each socket.

there are additional another 3 sockets in the same lab , to access internet (let us call them internet socket),,,these sockets are on different switch.

Some time a user unplug the desktop from internal socket and plug cable to internet socket,,,to access the net.

They are not allowed to use there own PCs in the lab (i.e. They can not use thier laptop).

Is there a way to deny the user from connecting back the cable to the original switch if he unplugged the cable from internal socket (original switch) and plugged to internet socket ,,,

---

I'm looking at this...

so from what I understand (maybe we're losing something in translation here as their appears to be a bit of a language barrier)... You have 20 machines... Each of these are on your intranet... You also have three connections for internet access... Outside machines are not allowed..

So when do these "internet ports" actually get used... If you don't want users network hoping why are they there? What I'm thinking is each of your 20 LAN ports get's port security (following the steps at http://www.cisco.com/univercd/cc/td/...g/port_sec.htm... I can provide you with further assistance on this if you desire)... The machines that are allowed to access the internet would get the same setup...

Basically what we're getting at is that if you have unmonitored (i.e. No person in the room)... ports... you can't stop people from switching machines back and forth if that's the purpose of the ports... If each of these ports should have a single machine and not have their plugs swapped, set the mac address on each port to that specific machine.

Peace,
HT

Quote:

---

Code:

---

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/12_1e/swconfig/port_sec.htm

---

I can provide you with further assistance on this if you desire)... The machines that are allowed to access the internet would get the same setup...

---

Thanks HTRegz for your conribution,,,I have done alot of practical scenario related to MAC port security.

Quote:

---

you can't stop people from switching machines back and forth if that's the purpose of the ports...

---

I started to believe that we can not implement that.