Next time you are in a mid-size to large enterprise environment, take a look around as you roam the halls, waiting areas and other public spaces. A good example is healthcare environments. There are usually network jacks scattered around with or without devices connected. Now what would happen if you found a connected device, unplugged it and connected your own laptop for instance?
The disappointing reality is that in more environments than people would believe, you would have immediate wired access with no authentication needed. Taking this a step further, who knows what type of network a person could land on by doing this. They could be on a general-use VLAN or could even have themselves a wired PCI VLAN connection. Regardless, this is a worst-case scenario now that an attacker has unauthenticated access to your network.
What Can Be Done?
Physical port security is what I believe to be the most commonly overlooked layer of network security. Data closets are usually locked with keyed or badged access; front-door WAN connections are usually protected by firewalls; and wireless network security is a very hot topic nowadays. But rarely are people talking about the security of wired network connections. So, what can be done?
There are three methods that I recommend to people looking to get serious about their network security of wired connections.
1. Shut down ports that are not in use. The first method of securing wired network connections is to shut down ports that are not in use. This is a no-brainer and a networking best practice. Regardless of the technology a network is utilizing, or the budget that is available, this is the first step of wired network security that should be followed. This is especially useful in areas where you know the ports aren’t likely to be used at all.
2. Know what ports are being used. The second method revolves around the ports that you know are being used. If you know a single device is going to be connected and not interchanged with other devices, you can configure port-based security on the switch the device is connected to.
Think of the attack I mentioned earlier, where someone unplugs a device in a public area and connects a laptop. By utilizing the sticky-MAC option of port security on major switching platforms such as Aruba, the network admin can force a switch port to learn the MAC address of the connected device and store it in its database. Should the port detect a new MAC address connected to it, it can be shut down instantly by the switch. This is a great option for devices and ports you know will not regularly change.
But be aware, should you use this on non-dedicated ports, for instance, it can be an administration nightmare due to regularly changing MAC addresses or devices and how often you would have ports being shut down.
3. Use 802.1X authentication for wired ports. The third option when it comes to wired network security is by far the most reliable, configurable and manageable. This option is 802.1X authentication for wired connections. By utilizing a product such as ClearPass from Aruba, users can authenticate to the wired network just as they would to the wireless networks in your organization. By utilizing authentication sources such as Windows Active Directory, ClearPass can manage the authentication and authorization of users as they connect to the network, ensuring they are recognized users with proper credentials.
My favorite part of 802.1X is how a single connection can be adapted for whatever (or whoever) connects to it. For instance, regular users could get dynamically assigned to a general use VLAN; security equipment such as IP cameras could get assigned to the security VLAN; and if the devices are not recognized, they could be placed on the guest VLAN. In cases like this, network ports, even in public areas, could be left active without any concerns for security. Even if an unknown user connected a device, they would safely be placed on a segregated guest network.
Go Deeper
For more information about 802.1X setup in a ClearPass environment, check out this great Aruba workshop video outlining the process.
Read Jon Greene, Aruba CTO's blogs on the topic:
Are You Leaving the Network Door Wide Open?
Lock Down Your Wired Network to Mitigate Insider Threat
Lock Down Wireless Threats with ClearPass
The Bottom Line
The bottom line is that wired network interfaces need the same amount of focus as other areas of network security. Whether users are interacting with our networks via the web or onsite via wireless or wired connections, there cannot be an area left uncovered and unsecured. A network is only as secure as its weakest point. By utilizing the methods that I mentioned, hopefully your wired infrastructure is not that weak point.
