RE: Unauthorised switchport access

[dholton1 () comcast net]

I had the same situation at a company I was consulting for, and the solution was very easy.

1) I made a switch "safe".  Basically a metal box with an opening for the cables (though technically someone could 
splice into the cables that are exposed), and a nice big lock on the front.  The switch was still in the unlocked 
closet, but It helped prevent people from just plugging into the switch.  The company was VERY happy to see this.  
(what do you know, a non-technical solution from a technical list...) :-)

2) Disabled unused switch ports (already recommended)

3) Had the switch allow only the MAC that was currently connected to the port to connect (so if someone did splice in 
they'd have to figure out the MAC that was allowed and clone it).  Cloning a MAC is not difficult, so that's why the 
other layers are in place as well. (also already recommended)

  In addition I'd also make sure you have proper security set up internally.  This means local firewalls, IDS/IPS, and 
a good patching solution (Don't over-look that one!)  As Erick suggested enabling IPsec would be a huge step in the 
right direction for you.

-Dan

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------