It's very important to know how to configure features and interfaces on network equipment. It's even more important to know why you're using a certain design or configuration to be able to evaluate its effectiveness. Sometimes things that look to be secure and seem to be worthwhile to implement can go very wrong. And bad security is worse than no security.
Take this scenario: You have quite a few remote offices. You need to implement some security features so that only authorized users using company equipment connect to your network. The users at these offices have phones that connect to the network and a laptop which uses a docking station. Great - you configure port security - 2 mac addresses and 5 min inactivity timeout. This becomes standard throughout your world and all is well. Or is it?
Eventually complaints start to trickle into your ticket queue. And they come in as complaints of lost connectivity. But you can prove that your connections didn't go down. What gives? Then you look at the port security stats and find thousands of violations. Why? Well, to start - what are your assumptions? When this system/solution was devised, there were a number of 'givens' that either weren't true or are no longer true.
1) The user will come to work and dock the laptop.
2) The laptop will always be docked when in use.
3) If the laptop is not immediately available for use upon docking, the user will wait until it is available.
4) The dock will only be used by the person to whom it has been assigned.
5) Ease of administration is more important than security.
Let's look at what exists today:
+ Remote workers are likely to have Internet access at home. Connecting from a remote office (especially a smaller one) can have the look and feel of their residential connection. Why shouldn't it be as fast and responsive? Just put the right plugs in the right ports and you're ready to work. Since users now have their home network as a comparison, they are less likely to be patient while your security and audit software (and network hardware) performs their functions.
+ If something doesn't work right away, either something's down or you don't have it plugged in properly. Try another port or maybe something like what you have at home. It's worth a shot - it's already broken. Usually you do this at home and eventually you get it to work. And if it doesn't - at the end you can call the Help Desk, but most times you can get it to work with a little effort.
+ You NEED your laptop in meetings. It's silly to write things on paper and then type them up when you get back to your desk. You can project your screen on the wall and type up the notes while you meet so you can get consensus and agreement. When you get back to your desk, you'll email it to everyone at the meeting.
Isn't this how you operate? Why wouldn't the remote user operate the same way? So when they come back from their meeting and dock their laptop ... click, click. Oh, crap, it's not working. Since the part that isn't immediately working is associated with networking, they unplug the cable and try the port on the side of the laptop. [Mac address number 3 = port violation.] Well, maybe if I undock it with the side port? No, still not working. Let me try putting it back. Click, click. Still not working. Dammit, I need to print out those notes! And yes, the authorized mac address on the dock might not 'work' immediately. Remember - 'works' from a user perspective is different from 'works' from a device/administrator perspective. And if the user was too impatient for it to 'work' the first time, by the time they try a few other things, they are even less likely to be patient enough to wait for it to operate properly.
So now you're preventing an authorized user from using the network. This is a business user. They are never the issue - we work for them, they don't exist to serve us. And you want your fellow workers to use the beautiful network that you have created for them. You just don't want the "outsider-bogeyman" to use your network. And you don't want everyone's personal device (that has no antivirus or other security and may harbor malware) to connect to this clean and healthy network and destroy all your hard work.
And also look at the flip side - because the inconvenience will all be worthwhile if you keep the network safe. But have you kept the network safe? Are your unused ports disabled? No, someone might want to use them and would have to wait while you configure it for them. Or perhaps you feel comfortable about those ports since there's an air gap between the port in the data closet and the user-accessible area?
So where is the first place someone would go to use your network? Pen testers (and potentially malicious users) head straight for the janitor's closet and connect to any available port. Since you allow 2 mac addresses for every port, they are allowed on the network. Okay - so your company is so smart, they have all the network equipment in their own area which requires badge access. You still have ports connected to that switch in some manner for your authorized users. They go to the unused desk and connect. Again, they are let in. Or they disconnect the docking station and wait 5 minutes - again, they are let in. [Pen testers and malicious users are often more patient than the 'authorized' user.] Oh, and it gets better. Take the same kind of laptop and plop it on the docking station - and you are not only let in, but you are using the authorized mac of the authorized user.
Wow. All the hassle and none of the benefit. Don't get me wrong, I don't advocate removing security. I simply say that if you're going to do something, do it in a way that it produces the effect you intend. The only way to completely fix this kind of problem is to go back to the design stage and make a better mousetrap.
If you really have your heart set on port security, use statics (without docking stations). Granted, this doesn't scale well. But when it gets to the point where you need to hire someone full-time to deal with move-add-change issues, it's likely that you're large enough to use a better solution.
Another way to attack this issue would be to give the users what they expect - a residential-type connection. For very small offices, this might work. The user is probably already familiar with using their own Internet connection and VPN method to connect to the main office. This scales well if you already have this type of solution in place for those working from home. They could even connect wirelessly (just like at home) and email their meeting notes at the end of the meeting. The response time would be similar to their home connectivity - and you have centralized your remote office traffic and terminated it at a security device.
If you have larger remote offices and must use commercial network gear, you can create an "RBO DMZ" and use whatever firewall, IDS and other security measures you would normally use for any other DMZ to secure the traffic and implement security. Make this first assumption : any connection from these locations might be legit or might be malicious and the main focus of your security devices are to determine which connections are the ones you want to access your network.
Of course, we always want to look at defense in depth which is also a part of this scenario. Yeah. That antivirus stuff. Of course we want to have our desktops protected with the latest signatures. Of course we need to manage our remote resources, just like we do at corporate. But we also need to realize the impact of these configuration choices on the end device's network connectivity. If the laptop does more work for the audit team than it does for the user, it's worthless. The user is going to see it as "not working" and will find ways around your security measures (like moving the cable to another port). Or worse. Enough complaints from enough executive users and you will become the problem.
Teams that formerly worked in isolated silos need to collaborate and get feedback on what works so that the user has a better experience. When security is easy to use, people will use it. You want people to use it. You don't want users playing frisbee with their laptops out of frustration. But in order to do that, we sometimes need to challenge our assumptions. And if those original conditions no longer exist, we need to rethink our plans and retool our devices. Remember - there was a time when the Ceasar cipher was effective.
Posted by BlueWolf on June 23, 2012 10:25 AM