General discussion

  • Creator
  • #2280481

    Security Solutions: Implement port security


    by discussion ·

    In this week’s Security Solutions e-newsletter column, Mike Mullins discusses port security. Have you implemented port security on your switches? Was this phase of security difficult to execute? What tips do you have for controlling access to switch ports? Are there other pros or cons to implementing port security that Mike didn’t mention?

    If you’d like to learn more about the Security Solutions e-newsletter, point to this link, and click Security Solutions to see a sample. If you’re interested, you can also sign up: eturn_to=

    * When pasting this link into your browser, remove any spaces.

All Comments

  • Author
    • #3388990

      Hidden wireless connections…

      by peter_robb ·

      In reply to Security Solutions: Implement port security

      I have several wireless access points in my network, so I find that new workstations that are natted behind these points tend to escape your type of control.
      In fact, someone here has discovered the advantages of hiding behind another gateway device, whatever it may be… so they have been ferreted out by checking outgoing workstation TTLs and taking some more appropriate/direct steps.
      I also mangle incoming TTLs to die 1 hop after a regular workstation then log the responses to find anyone who has escaped this control…


    • #3388986

      Port Security

      by mercedesman1981 ·

      In reply to Security Solutions: Implement port security

      Port security is great and really does work well for giving total control over the devices plugged into your switches. This does place a larger administrative burden when devices are moved or new devices are plugged into the network. In the case of realtime production on a 24 hour basis, as the single network and security admin, I like to give a little lattitude to my counterpart – the sys admin. So instead of giving her the “keys to the kingdom” when it comes to those 3am phone calls, I have elected not to use port security. Instead, my switches are behind locked doors and don’t populate all of the ports, only those that are needed. I find this helps cut down on my workload (I have two full time job titles, and one part time) and transferrs a little empowerment to the sys admin whom I trust. This, of course, does not protect from the user that decides to unplug his work station and plug in whatever device he has, but then that is what syslog is for and is easily tracked down. Fortunately, the users on my network have not done this yet and I confess also that my network is relatively small though it is a critical realtime production network.

Viewing 1 reply thread