Another good defense-in-depth approach is to setup SNMP monitoring on your managed switches to report any time a port comes up. This can help detect rogue devices plugged into the network, as well as devices that might be flapping. It obviously should be disabled for ports that are connected to devices like office PCs, or other equipment that is expected to power cycle a lot, but these are generally not the ports you are worried about for rogue devices, as they are already out in the open.
Locking Down Network Connections Guide
********* *** ****** ******* *** ***** when ******* *********** *** *** ****** down. ******** *** ***** ************ ******* should ** ********* ******* **** ******* and *** ** **** **** ********** low-cost *****.
****** **** *****, **** ******** *** they **** *** **** *** ********* are. ** ** **, **** ****** and ****** ***** ******* *******.
** ******* * ***** **************, ********* the *******, ************* *** **** *** used, *** **** *** ***************.
Why **** ****
***** *** ******* ********** ** ******* lock ******* ** ************ ***********, *** example:
- **** *** ******* ********* / ******* accidental *********** **** ***** ******
- ******* ***** / ********** ******* **** connecting ** *** ************ *******
- **** *** **** ******** **** *** include ******** ******** *****, ** **** point ** ***** *** ****** **** access ** ******* *****
- ****** ****** *** ** ** ****** accessible *********, **** ** ********** ** a "*******" **** ** * ******* or **** ****** ******* **** * bullet ** *** ****** ***** ****, requiring ** ***** *** *************
Summary / ********
***** *** *********** ***** ****** ***** of **** *** ***** ***** ********** to ** ***** *** ******** *******.
******* ***** ******** **** ** **** *** ***** cable ** *** **** ****. **** slide **** *** ******* **** ** a ***** *****, ******** *** ******* tab, ** ** *** *** ** depressed ** ****** *** *****. **** locks ********** ******* *** ****** *** to ******* ********* ********* ** ********, while ****** ***** ** *******, *** attempting ** ***** ** ********* ****** most ** *** *** ******* ** the ****, ** *** ***** *** still *** ** *******.
**** **** ******** **** ** ******* ****** ** empty *****. **** *** **** ****** ports **** ** ******** ** ***** panel *****, ********* * *** **** the **** ******* ** * ***** cable *** ****** ** ***** **** a *********** ***. **** *** ********* low *******, ** ******* ********* **** gripping *** **** **** *****, **** as ******, ** ******* ** ****** it.
*** ****/***** *****:*** ***** ***** *** **** ** lock **** *** ****** **** *** USB **** *.*. ******* * ***** from ***** ************ **** ** ***. They *** ********* ***** ********* ******* with *** ***** ******* **** ***
*** **** ********* *** *****, **** another **** ***** *** ***** ******** both **** *****, *** *** *****, and *** ******. **** *** ****** use *** **** ** *** ** free *** *****.
Vote / ****
Manufacturer *******
******** ************* ******* ***** ***** *** port *****, ** ******* ******, ****************,***** ***,** ********, **********.
***** ******* ***** ****** ** *****, from ~$* *** *** *** ****** cost ** ~$** *** ********** ******* models.
***-********** ****** ******** **** ******* ********** are **** ********* [**** ** ****** available].
Securing ***** ******
******* ***** ***** ******* * ********* from *********** ***** *********** ** ************ disconnected. ***** ***** ***** *** ******* tab ** ** *** *** ** depressed ** ******* *** ***** **** the ****/****.
***** *** **** ********* ** ***** these ****** *** *** ****:
- ***** *****:***** ***** ***** ****** **** *** work **** **** ****** ***** ***** if *** **** **** ** ******* proofed, ** *** *****/****** ******** ** manufacturers ****** ****** *** *** ******* device ****** **.
- ****** ***** ******:****** **** ****** ****** ***** *** block *** **** **** ***** ********, forcing *** **** ** ** ******* or ******* ** **** *** *****.
- ****** ****** ********:*******, ***** *** ****** *** *** inside ****, ******, ** ***** ****** housings, *** ** ***** ***********. *** may **** ** **** ***** ***** a ****** ****** *** ** ******* from *** **** *** ********, *** this **** ********** ************ ****.
** *** ***** ***** ** *********** the ************ *** *** ** * patch ***** **** *** ***** ******.
Securing ****** *****
***** ***** ***** ***** ****** ****** in ***, ****** ***** *** **** be *******. *** ***** ***** ***** an ******* ** ***** ***** ******* plugs, ***** *** **** ** ****** unused ******** *****, *.*., ****, ********, mispans, **** *****, ***** ******, ** any ***** ****** **** **********.
************, ***** *** **** **** ***** which *** ****** ***. *** *******, the ******* **** **** (********* ** coordination **** *** ** ******** ******** Agency) ***** **** *** **** *** must ** ********* ** ****** **. Additionally, **** **** *** * ******* serial ******, ***** *** ** *******, making ** ******* ** * **** has **** ******* ** ********. ** tested *** ******* *** **** **** locks ***** *****.
** *** ***** ***** ** *********** the *** **** **** ****, *** it ** *********, *** ********* **** removed:
Securing *** ******
*******, ************ ****** *** **** ** achieved ** ********** ******** ** * device *** *** *****. ** ******** this ****** *** **** ***** *** cable ***** *** ** ****, ****** to **** **** ** ****** **** or ** ******* ** **-*** ***** from ***** *******.
** ******* * *** ****** **** being ******* ** ***** ******* * USB **** *** ** **** ** secure *******, ***** *********** ******** ** a **** ***** ** ******* *** strapping. ** *** ***** ***** ** demonstrate ******** * ***** ** ** NVR ***** ******** *** ***** ****.
** ******** ** ********* ******* **** as ******** *** ****, ****, *******, and ******* ******* **** ****** **** a *** **** ** ***** **** are *** ** ***. *** **** locks ** **** ******** *** ** used ** ******* ****** ** *** open *****, ** * ******* *** that **** ******* ***** ****. ***** below ** * **** **** ** inserted **** * ****** *** ****, making ************ ** ***** ******* *** key. **** ***** ***** **** ******** that *** ** **** ** ***** a **** ** *** ***** **** one ****.
Proprietary ******* *****: ****** ********, ***** ***********
***** ***** ******* *********** ***** *** preferred ** ******** ** * *******. Some ***** *** ******** ***** ** Torx ****, ** **** ***** **** blade ************, *** ** ***** *** easy ** **** **, *** **** provide **** * ******* ***** ** security. ***** *** ***** ** ** use **** ********** ******* ** * bigger ******* **** ********.
*********** ******* ***** *** *********** * downside ** ***** ***** *****. *** technicians *** *** ******* ** ******* a ****** **** ***** * **** with ****, ** **** **** **** no *** ** ******** *** *****.
* **** *** ** **** **** someone ** ****, ** ****, ** a **********, *** **** ***** ** the ****** ** *********. *********** ***** are *********** ** **** *** ******** ship **** *** ***** ** ** additional ******.
No ***** *** ********** *********
* ***** ********** ******** **** **** a *** ** ****** ***** *****, though **** ******* * ***** ** deterrence ******* **** ************* ******* ** accidental *******. ** *** **** *****'* use *********** *****, ** ** ****** enough ** ****** *** **** ** needed ** ****** **.
**** ** ** **** *** *********** means, ********, ******* ****, ** ******** may ***** ****** *** **** ********** quickly, ****** **** ******* **** ********** motions *** **** *********** *****. ** also *** ** ** **** ** ordering *** ******* ****. ** *** else *****, ***** ***** ******* ** gain ****** ** * ***** ***** may **** * *** ** ****** cut ** *** **-********* **, ***** will ** ********** ** **** ********.
*** ***** *******, ***** ***** *** plugs *** *********** ** **** *** layer ** ******** ** ******* * modicum ** ********** *** *****.
Layered Security *********
** ** ********* ** ** ****** just ******** ********. *** **** *********** on ******** ******** ****** ***** *** these ******* *******:
setup SNMP monitoring on your managed switches to report any time a port comes up
On the other hand: ADI More Bad Advice: Network Switches
Well, if you're relying on ADI for any kind of general advice, you are probably far from the level of worrying about (or being aware of) things like advanced port security mechanisms.
BTW, great post on the ADI Advice.
Thanks U1, and for those interested in more information on SNMP for Video Surveillance, we have a report here.
The USB cable lock would have been great years ago when some software platforms required a USB dongle. Hey it looks like a thumb drive so it must be a thumb drive. Doh!
We just used these for the first time and they were fine for the intended use.
Physically securing unused switch ports is a good start, but locking the ports electronically is more likely to block access. Using a black hole VLAN or simply disabling ports is what we prefer to do. This system alone won’t prevent people from unplugging existing patches, but it will prevent access on unused ports.
Jon - good points and agreed, this should be part of a larger plan and why we added the 'Layered Security Important' section. In the networking course we review and demonstrate disabling unused switchports as well as PoE. I may have to add black hole vlans.
Have you had any issues with techs struggling to complete add / move / change / work because of the a null route?
No issues for us to date. Using UBNT Unifi switches makes this really easy. We can check switch configurations quickly with our iPhone. Make changes if needed too.