[unisog] Network security police no hubs/switches/routers?

Daniel Feenberg feenberg at nber.org
Mon May 23 20:14:10 GMT 2005



On Mon, 23 May 2005, Michael Holstein wrote:

> > We have just spelled out some policies that no hubs/routers are to be 
> > connected to the network.  There seems to be  a lot of
> > resistance for this policy.  I know the technical reasons for not 
> > allowing this, but anybody have a lay man explanation in their policy
> > about "Why hubs/routers are not allowed on the campus network?"
> 
> Q: Why hubs/routers are not allowed on the campus network?
> A: They restrict the effectiveness of centralized network management.
> 
> I've found that people learn why not to do this when we detect a virus 
> (or whatever) and nick a port on the switch -- then someone calls and 
> says something like "my whole lab is down".
> 
> Then somebody gets to waste the afternoon figuring out WHICH machine it was.

What do you do when someone needs a port for a second computer?  How long
does it take to get a new drop? How much does it cost? Are your users
doing anything that is important to the organization, or just playing
around? Will you allow IP phones (which usually contain a "pass-thru" port
which is equivalent to a 2 port hub)?

What is happening here is that more and more users want a port for their
laptop, in addition to the port for the desktop. We would like to offer
more than just telling them "unplug the desktop".

This is spoken as someone who has spent several afternoons looking for
errant switches, but didn't think that a "policy" was the best way to get
out of this. Your switches should pinpoint which port is the problem port,
and looking at the end of that drop should identify the interloper. The
last time this happened to me it was a switch with a straight-through
cable plugged into two ports. The time before (several years ago) it was a
router (with dhcp server on) being used as a switch.

I think a policy of always providing a (possibly managed) switch would
have a better chance of furthering the objectives of the university.

> 
> 
> Cheers,
> 
> Michael Holstein CISSP GCIA
> Cleveland State University
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> 




More information about the unisog mailing list