What are the benefits of port security as they relate to network access control (NAC)? I was surprised that some...
see it as a controversial issue. Is it a worthwhile addition to an enterprise network security strategy?
Network port security means different things to different people. I like to look at it from the highest level possible -- which just so happens to be the easiest means for exploitation. I'm referring to network ports in and around the building or campus that are "hot," thus allowing anyone to plug in and connect to the network via DHCP or by knowing IP addresses to assign.
I see this quite often in my security assessment work. All it takes is someone -- be it a "trusted" insider or a physical intruder -- to plug into a network that they shouldn't access, run some quick vulnerability scans and use a tool such as Metasploit to gain full remote (and undetectable) access to what would likely be numerous systems on the network -- all without requiring network login credentials.
If network ports must remain hot -- for whatever reason -- there are numerous things you can do including basic access control lists or more comprehensive technology around 802.1x authentication or even an all-out NAC system. Perhaps the simplest solution would be to place any hot unassigned ports into a non-routable VLAN until specific access is granted.
At the end of the day, what you're dealing with here directly impacts network complexity. It could be argued that by introducing network port security controls, you end up becoming distracted to the point where you actually make security worse.
Network port security is certainly part of an overall defense-in-depth strategy, but only you will know what the best fit is for your environment.
Ask the Expert:
Have a question about network security? Send it via email today. (All questions are anonymous.)
Don't miss this SearchSecurity intro to network access control
Find out whether FTP malware is a threat.
What to think about when buying NAC products.
Dig Deeper on Network Access Control technologies
Related Q&A from Kevin Beaver
Compare host IDS vs. network IDS through the pros and cons of each, and learn how more modern systems may be better suited to ensure effective ... Continue Reading
Explore the differing roles of inbound versus outbound firewall rules for enterprise network security and the varying use cases for each. Continue Reading
Different tools protect different assets at the network and application layers. But both network and application security need to support the larger ... Continue Reading