Jim,
First, physical site security is always your first line of defense. It is a
rule of thumb that if your site security is so bad that you cannot at least
have some assurance that unauthorized people are not coming into your site,
there's always going to be a way for someone to create a security breach.
There are lots of things you can do from a network security perspective, but
a skilled person can bypass almost anything if they have physical access to
your network.
For example, you could create access based on MAC addresses and have acl's,
but if someone can simply walk up to an authorized station when a person
leaves for lunch, what good does any of that do you? Answer, very little.
So, here is my advice, in order of priority:
1) Create security policies that users must sign that include describing
what users should and should not do with regard to computer _and_ site
security. These policies will include physical access to network
equipment/closets and user education programs. If users don't know what
they are supposed to do, how can they do the "right" thing? Unfortunately,
this is usually the last thing an organization implements, if at all and
when policies are created they are usually not adequate or not kept up to
date.
2) You client should have a facilities organization that coordinates all
physical site security around the globe. Every site needs to have oversight
and management control.
3) IMHO, trying to manage this by MAC address will be so problematic, that
it will eventually be abandoned. My suggestion would be to use the
authentication proxy feature on all remote site routers. This feature is
available in 12.0.5T and requires users to authenticate before being allowed
access to the network. (based on acl's you create). This will require an
AAA server.
Here's a link:
Make the idle timeouts fairly low, like 15-20 minutes.
4) Require all user workstation to have a password protected screen saver
that enables after no more than 10 minutes of inactivity. This will be part
of the policies you create in #1.
5) Partner with a security organization that has global presence to conduct
regular site reviews to ensure compliance with all policies. These reviews
should be conducted on at least a annual basis for all large sites and a
semi-annual basis for smaller sites.
There are more things you could do, but if you did only these things you
would be in decent shape.
HTH,
Kent
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Jim Bond
Sent: Friday, June 22, 2001 12:49 PM
To: [EMAIL PROTECTED]
Subject: network security issue [7:9556]
Hello,
My client is a Cisco shop and they have many offices
all over the world. They want to make sure that only
authorized person can connect to their network. Their
concern is that someone may just walk into one of
their offices and plug in a laptop and then is on
their network. How can we prevent this?
The only thing I can think of is create a MAC database
and implement security on the 6509 switches. But to
create and manage tens of thousands of MAC addresses
is a pain. Is there any other way?
Thanks in advance.
Jim
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=9648&t=9556
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
