Another good defense-in-depth approach is to setup SNMP monitoring on your managed switches to report any time a port comes up. This can help detect rogue devices plugged into the network, as well as devices that might be flapping. It obviously should be disabled for ports that are connected to devices like office PCs, or other equipment that is expected to power cycle a lot, but these are generally not the ports you are worried about for rogue devices, as they are already out in the open.
Locking Down Network Connections Guide
Published Apr 23, 2019 14:35 PM
********* *** ****** ******* *** ***** when ******* *********** *** *** ****** down. ******** *** ***** ************ ******* should ** ********* ******* **** ******* and *** ** **** **** ********** low-cost *****.
****** **** *****, **** ******** *** they **** *** **** *** ********* are. ** ** **, **** ****** and ****** ***** ******* *******.
** ******* * ***** **************, ********* the *******, ************* *** **** *** used, *** **** *** ***************.
Why **** ****
***** *** ******* ********** ** ******* lock ******* ** ************ ***********, *** example:
- **** *** ******* ********* / ******* accidental *********** **** ***** ******
- ******* ***** / ********** ******* **** connecting ** *** ************ *******
- **** *** **** ******** **** *** include ******** ******** *****, ** **** point ** ***** *** ****** **** access ** ******* *****
- ****** ****** *** ** ** ****** accessible *********, **** ** ********** ** a "*******" **** ** * ******* or **** ****** ******* **** * bullet ** *** ****** ***** ****, requiring ** ***** *** *************
Summary / ********
***** *** *********** ***** ****** ***** of **** *** ***** ***** ********** to ** ***** *** ******** *******.
******* ***** ******** **** ** **** *** ***** cable ** *** **** ****. **** slide **** *** ******* **** ** a ***** *****, ******** *** ******* tab, ** ** *** *** ** depressed ** ****** *** *****. **** locks ********** ******* *** ****** *** to ******* ********* ********* ** ********, while ****** ***** ** *******, *** attempting ** ***** ** ********* ****** most ** *** *** ******* ** the ****, ** *** ***** *** still *** ** *******.
**** **** ******** **** ** ******* ****** ** empty *****. **** *** **** ****** ports **** ** ******** ** ***** panel *****, ********* * *** **** the **** ******* ** * ***** cable *** ****** ** ***** **** a *********** ***. **** *** ********* low *******, ** ******* ********* **** gripping *** **** **** *****, **** as ******, ** ******* ** ****** it.
*** ****/***** *****:*** ***** ***** *** **** ** lock **** *** ****** **** *** USB **** *.*. ******* * ***** from ***** ************ **** ** ***. They *** ********* ***** ********* ******* with *** ***** ******* **** ***
*** **** ********* *** *****, **** another **** ***** *** ***** ******** both **** *****, *** *** *****, and *** ******. **** *** ****** use *** **** ** *** ** free *** *****.
Vote / ****
Manufacturer *******
******** ************* ******* ***** ***** *** port *****, ** ******* ******, ****************,***** ***,** ********, **********.
***** ******* ***** ****** ** *****, from ~$* *** *** *** ****** cost ** ~$** *** ********** ******* models.
***-********** ****** ******** **** ******* ********** are **** ********* [**** ** ****** available].
Securing ***** ******
******* ***** ***** ******* * ********* from *********** ***** *********** ** ************ disconnected. ***** ***** ***** *** ******* tab ** ** *** *** ** depressed ** ******* *** ***** **** the ****/****.
***** *** **** ********* ** ***** these ****** *** *** ****:
- ***** *****:***** ***** ***** ****** **** *** work **** **** ****** ***** ***** if *** **** **** ** ******* proofed, ** *** *****/****** ******** ** manufacturers ****** ****** *** *** ******* device ****** **.
- ****** ***** ******:****** **** ****** ****** ***** *** block *** **** **** ***** ********, forcing *** **** ** ** ******* or ******* ** **** *** *****.
- ****** ****** ********:*******, ***** *** ****** *** *** inside ****, ******, ** ***** ****** housings, *** ** ***** ***********. *** may **** ** **** ***** ***** a ****** ****** *** ** ******* from *** **** *** ********, *** this **** ********** ************ ****.
** *** ***** ***** ** *********** the ************ *** *** ** * patch ***** **** *** ***** ******.
Securing ****** *****
***** ***** ***** ***** ****** ****** in ***, ****** ***** *** **** be *******. *** ***** ***** ***** an ******* ** ***** ***** ******* plugs, ***** *** **** ** ****** unused ******** *****, *.*., ****, ********, mispans, **** *****, ***** ******, ** any ***** ****** **** **********.
************, ***** *** **** **** ***** which *** ****** ***. *** *******, the ******* **** **** (********* ** coordination **** *** ** ******** ******** Agency) ***** **** *** **** *** must ** ********* ** ****** **. Additionally, **** **** *** * ******* serial ******, ***** *** ** *******, making ** ******* ** * **** has **** ******* ** ********. ** tested *** ******* *** **** **** locks ***** *****.
** *** ***** ***** ** *********** the *** **** **** ****, *** it ** *********, *** ********* **** removed:
Securing *** ******
*******, ************ ****** *** **** ** achieved ** ********** ******** ** * device *** *** *****. ** ******** this ****** *** **** ***** *** cable ***** *** ** ****, ****** to **** **** ** ****** **** or ** ******* ** **-*** ***** from ***** *******.
** ******* * *** ****** **** being ******* ** ***** ******* * USB **** *** ** **** ** secure *******, ***** *********** ******** ** a **** ***** ** ******* *** strapping. ** *** ***** ***** ** demonstrate ******** * ***** ** ** NVR ***** ******** *** ***** ****.
** ******** ** ********* ******* **** as ******** *** ****, ****, *******, and ******* ******* **** ****** **** a *** **** ** ***** **** are *** ** ***. *** **** locks ** **** ******** *** ** used ** ******* ****** ** *** open *****, ** * ******* *** that **** ******* ***** ****. ***** below ** * **** **** ** inserted **** * ****** *** ****, making ************ ** ***** ******* *** key. **** ***** ***** **** ******** that *** ** **** ** ***** a **** ** *** ***** **** one ****.
Proprietary ******* *****: ****** ********, ***** ***********
***** ***** ******* *********** ***** *** preferred ** ******** ** * *******. Some ***** *** ******** ***** ** Torx ****, ** **** ***** **** blade ************, *** ** ***** *** easy ** **** **, *** **** provide **** * ******* ***** ** security. ***** *** ***** ** ** use **** ********** ******* ** * bigger ******* **** ********.
*********** ******* ***** *** *********** * downside ** ***** ***** *****. *** technicians *** *** ******* ** ******* a ****** **** ***** * **** with ****, ** **** **** **** no *** ** ******** *** *****.
* **** *** ** **** **** someone ** ****, ** ****, ** a **********, *** **** ***** ** the ****** ** *********. *********** ***** are *********** ** **** *** ******** ship **** *** ***** ** ** additional ******.
No ***** *** ********** *********
* ***** ********** ******** **** **** a *** ** ****** ***** *****, though **** ******* * ***** ** deterrence ******* **** ************* ******* ** accidental *******. ** *** **** *****'* use *********** *****, ** ** ****** enough ** ****** *** **** ** needed ** ****** **.
**** ** ** **** *** *********** means, ********, ******* ****, ** ******** may ***** ****** *** **** ********** quickly, ****** **** ******* **** ********** motions *** **** *********** *****. ** also *** ** ** **** ** ordering *** ******* ****. ** *** else *****, ***** ***** ******* ** gain ****** ** * ***** ***** may **** * *** ** ****** cut ** *** **-********* **, ***** will ** ********** ** **** ********.
*** ***** *******, ***** ***** *** plugs *** *********** ** **** *** layer ** ******** ** ******* * modicum ** ********** *** *****.
Layered Security *********
** ** ********* ** ** ****** just ******** ********. *** **** *********** on ******** ******** ****** ***** *** these ******* *******:
Comments (9)
U
Undisclosed #1
Apr 23, 2019JH
John Honovich
Apr 23, 2019setup SNMP monitoring on your managed switches to report any time a port comes up
On the other hand: ADI More Bad Advice: Network Switches
U
Undisclosed #1
Apr 23, 2019Well, if you're relying on ADI for any kind of general advice, you are probably far from the level of worrying about (or being aware of) things like advanced port security mechanisms.
BTW, great post on the ADI Advice.
John Scanlan
Apr 23, 2019Thanks U1, and for those interested in more information on SNMP for Video Surveillance, we have a report here.
SD
Shannon Davis
Apr 23, 2019The USB cable lock would have been great years ago when some software platforms required a USB dongle. Hey it looks like a thumb drive so it must be a thumb drive. Doh!
TM
Ty Mullen
Apr 23, 2019We just used these for the first time and they were fine for the intended use.
Jon Dillabaugh
Apr 25, 2019Physically securing unused switch ports is a good start, but locking the ports electronically is more likely to block access. Using a black hole VLAN or simply disabling ports is what we prefer to do. This system alone won’t prevent people from unplugging existing patches, but it will prevent access on unused ports.
John Scanlan
Apr 25, 2019Jon - good points and agreed, this should be part of a larger plan and why we added the 'Layered Security Important' section. In the networking course we review and demonstrate disabling unused switchports as well as PoE. I may have to add black hole vlans.
Have you had any issues with techs struggling to complete add / move / change / work because of the a null route?
Jon Dillabaugh
Apr 25, 2019No issues for us to date. Using UBNT Unifi switches makes this really easy. We can check switch configurations quickly with our iPhone. Make changes if needed too.