I had an interesting discussion tonight with fellow handler Manuel on the pros and cons on port security as it relates to Network Access Control. I thought it would be interesting to see where others in the security field stand on the issue. Is it worth the effort or not? Is it a valuable tool in Defense in Depth? Here are some of the For and Against arguments we discussed:
- Stops others from being able to plug into your infrastructure, they would have to search to find a port that has not been configured correctly
- Can audit logs to determine if empty ports are turned on or off
- Can alert you more quickly to rogue devices being plugged into your infrastructure
- Not a perfect solution but should be part of your defense in depth solution, its not meant to be a stand alone solution
- If you fake the MAC address to the host, you are in
- Insider/outsider threat is great since physical security to equipment is not well controlled in many organizations
- Have to take into account failover scenarios or you can DoS yourself
- Hard to manage large number of switch ports to ensure they are configured correctly at all times
So, is port security worth the effort or do many of you find its too time consuming and the benefits are not that great? If you using it and have tips for successful implementation, please share them so others can benefit. It is Cyber Security Awareness Month and this would be a good opportunity to help educate each other on issues you have encountered with port security or how it has helped protect your organization.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.