chris - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Is network port security a worthwhile enterprise security strategy?

The benefits of network port security as it relates to network access control has come under the microscope. Expert Kevin Beaver explains the benefits of this approach as well as its drawbacks.

What are the benefits of port security as they relate to network access control (NAC)? I was surprised that some...

see it as a controversial issue. Is it a worthwhile addition to an enterprise network security strategy?

Network port security means different things to different people. I like to look at it from the highest level possible -- which just so happens to be the easiest means for exploitation. I'm referring to network ports in and around the building or campus that are "hot," thus allowing anyone to plug in and connect to the network via DHCP or by knowing IP addresses to assign.

I see this quite often in my security assessment work. All it takes is someone -- be it a "trusted" insider or a physical intruder -- to plug into a network that they shouldn't access, run some quick vulnerability scans and use a tool such as Metasploit to gain full remote (and undetectable) access to what would likely be numerous systems on the network -- all without requiring network login credentials.

If network ports must remain hot -- for whatever reason -- there are numerous things you can do including basic access control lists or more comprehensive technology around 802.1x authentication or even an all-out NAC system. Perhaps the simplest solution would be to place any hot unassigned ports into a non-routable VLAN until specific access is granted.

At the end of the day, what you're dealing with here directly impacts network complexity. It could be argued that by introducing network port security controls, you end up becoming distracted to the point where you actually make security worse.

Network port security is certainly part of an overall defense-in-depth strategy, but only you will know what the best fit is for your environment.

Ask the Expert:
Have a question about network security? Send it via email today. (All questions are anonymous.)

Next Steps

Don't miss this SearchSecurity intro to network access control

Find out whether FTP malware is a threat.

What to think about when buying NAC products.

This was last published in September 2015

Dig Deeper on Network Access Control technologies