Q
Problem solve Get help with specific problems with your technologies, process and projects.

Switch control in large enterprises

I am the lead network admin at our site. We have a fairly large LAN -- about 1700 workstations, 250 servers, 100 workgroup switches, etc. We have disabled all unused switch ports, but still have occasional problems with users unplugging workstations and plugging in laptops. We are considering enabling port security on all the switches, but I have some concerns about the effort to implement and then maintain this architecture. Do you have any thoughts or advice?

I am the lead network admin at our site. We have a fairly large LAN -- about 1700 workstations, 250 servers, 100 workgroup switches, etc.

We have disabled all unused switch ports, but still have occasional problems with users unplugging workstations and plugging in laptops. We haven't had any real security breaches (viruses, worms, etc) - YET, but I realize we've been fortunate.

We are considering enabling port security on all the switches, but I have some concerns about the effort to implement and then maintain this architecture. Do you have any thoughts or advice?

It all gets back to how much administration overhead you want to accept. By locking certain devices to certain ports, you complicate your moves, adds and changes process -- which may or may not be a bad thing. It will certainly require more management, but it also prevents the kind of issues you are describing.

There are overlay products that can plug into your switches (over a spanning port typically) and track "unknown" machines. These so-called pre-admission NAC devices provide a bit cleaner management, but do cost money and require that you manage another device.

As with everything else, it's a trade-off. Most folks just do nothing and hope that they can trust their internal employees to do the right thing and not use the corporate network for malicious intent.

This was last published in July 2006

Dig Deeper on Network Security Best Practices and Products

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close