[unisog] Network security police no hubs/switches/routers?
Robert Maxwell UMD OITSecurity
rmaxwell at umd.edu
Mon May 23 23:14:11 GMT 2005
Wouldn't it then be easier to mandate a single non-cheap switch for this use? A sort of edge-switch extension? Manageable, maybe not as cheap, but not as much as running new cable? And you're being responsive to the user instead of just saying no.
From: Clarke Morledge <chmorl at wm.edu>
Date: Mon, 23 May 2005 18:25:53
To:UNIversity Security Operations Group <unisog at lists.sans.org>
Subject: Re: [unisog] Network security police no hubs/switches/routers?
Once folks get in the habit of thinking that it is OK to plug in hubs and
they keep doing it for several years, such a "no hub" policy can be
difficult to enforce. The common excuse I hear is: "Why should I pay for
an extra network connection (with the extra wiring involved) when I can
run down to Walmart and pick up a cheap network hub?"
Many users tend to think that a "no hub" policy is some sort of "unfunded
mandate". What they do not realize, of course, is the cost of supporting
all of the problems associated with these hubs.
I've had several instances this year where a cheap hub started to send
packets received on the uplink interface back out the same uplink
interface. Unfortunately, the hub filtered out the Spanning Tree
packets, so I effectively get a unicast/broadcast packet storm without the
means of detecting the problem -- other than the thrashing L2 tables in
our switches. What a mess.
So my challenge is to show that allowing these cheap hubs actually costs
the university MORE money in the long run. But alas, I haven't been able
to convince everyone yet about this :-(
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187
On Mon, 23 May 2005, Vijay S Sarvepalli VSSARVEP wrote:
> We have just spelled out some policies that no hubs/routers are to be
> connected to the network. There seems to be a lot of
> resistance for this policy. I know the technical reasons for not allowing
> this, but anybody have a lay man explanation in their policy
> about "Why hubs/routers are not allowed on the campus network?"
> If you have one please do share. If you have a strong network security
> that limits what type of devices attach to the network, again
> in non technical terms please do share this as well.
unisog mailing list
unisog at lists.sans.org
Robert Maxwell, CISSP
Lead Incident Response Handler
OIT Security, University of Maryland
rmaxwell at umd dot edu
More information about the unisog