What are the benefits of port security as they relate to network access control (NAC)? I was surprised that some...
see it as a controversial issue. Is it a worthwhile addition to an enterprise network security strategy?
Network port security means different things to different people. I like to look at it from the highest level possible -- which just so happens to be the easiest means for exploitation. I'm referring to network ports in and around the building or campus that are "hot," thus allowing anyone to plug in and connect to the network via DHCP or by knowing IP addresses to assign.
I see this quite often in my security assessment work. All it takes is someone -- be it a "trusted" insider or a physical intruder -- to plug into a network that they shouldn't access, run some quick vulnerability scans and use a tool such as Metasploit to gain full remote (and undetectable) access to what would likely be numerous systems on the network -- all without requiring network login credentials.
If network ports must remain hot -- for whatever reason -- there are numerous things you can do including basic access control lists or more comprehensive technology around 802.1x authentication or even an all-out NAC system. Perhaps the simplest solution would be to place any hot unassigned ports into a non-routable VLAN until specific access is granted.
At the end of the day, what you're dealing with here directly impacts network complexity. It could be argued that by introducing network port security controls, you end up becoming distracted to the point where you actually make security worse.
Network port security is certainly part of an overall defense-in-depth strategy, but only you will know what the best fit is for your environment.
Ask the Expert:
Have a question about network security? Send it via email today. (All questions are anonymous.)
Don't miss this SearchSecurity intro to network access control
Find out whether FTP malware is a threat.
What to think about when buying NAC products.
Dig Deeper on Network Access Control technologies
Related Q&A from Kevin Beaver
While most mobile platforms provide levels of security from mobile cryptojacking, IT must still be aware of the risks and procedures to address an ... Continue Reading
Android Oreo replaced the allow unknown sources setting with a new feature that enables users to selectively install unknown apps. Kevin Beaver ... Continue Reading
Equifax's Apache Struts vulnerability was an example of a scan not being read correctly. Kevin Beaver explains vulnerability scans and how issues can... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.