[unisog] Network security police no hubs/switches/routers?

Robert Maxwell UMD OITSecurity rmaxwell at umd.edu
Mon May 23 23:14:11 GMT 2005

Wouldn't it then be easier to mandate a single non-cheap switch for this use?  A sort of edge-switch extension?  Manageable, maybe not as cheap, but not as much as running new cable?  And you're being responsive to the user instead of just saying no. 

-----Original Message-----
From: Clarke Morledge <chmorl at wm.edu>
Date: Mon, 23 May 2005 18:25:53 
To:UNIversity Security Operations Group <unisog at lists.sans.org>
Subject: Re: [unisog] Network security police no hubs/switches/routers?

Once folks get in the habit of thinking that it is OK to plug in hubs and 
they keep doing it for several years, such a "no hub" policy can be 
difficult to enforce.  The common excuse I hear is: "Why should I pay for 
an extra network connection (with the extra wiring involved) when I can 
run down to Walmart and pick up a cheap network hub?"

Many users tend to think that a "no hub" policy is some sort of "unfunded 
mandate".  What they do not realize, of course, is the cost of supporting 
all of the problems associated with these hubs.

I've had several instances this year where a cheap hub started to send 
packets received on the uplink interface back out the same uplink 
interface.   Unfortunately, the hub filtered out the Spanning Tree 
packets, so I effectively get a unicast/broadcast packet storm without the 
means of detecting the problem -- other than the thrashing L2 tables in 
our switches.  What a mess.

So my challenge is to show that allowing these cheap hubs actually costs 
the university MORE money in the long run.  But alas, I haven't been able 
to convince everyone yet about this :-(

Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187

On Mon, 23 May 2005, Vijay S Sarvepalli VSSARVEP wrote:

> We have just spelled out some policies that no hubs/routers are to be
> connected to the network.  There seems to be  a lot of
> resistance for this policy.  I know the technical reasons for not allowing
> this, but anybody have a lay man explanation in their policy
> about "Why hubs/routers are not allowed on the campus network?"
> If you have one please do share.  If you have a strong network security
> that limits what type of devices attach to the network, again
> in non technical terms please do share this as well.
> Thanks
> Vijay
unisog mailing list
unisog at lists.sans.org

Robert Maxwell, CISSP
Lead Incident Response Handler
OIT Security, University of Maryland
rmaxwell at umd dot edu

More information about the unisog mailing list