Re: Interesting Switching Question.... - Page 2

atbreen14217 · ‎08-09-2007

All,

I have had an interesting situation posed to me, and I wanted to reach out to the community for some advice and/or to touch into everyone's knowledge and experience.

My company has a customer, who is a hospital. The hospital is using DHCP throughout their environment for their PCs. The hospital has not implemented any wireless products in their network. One of their doctors brought in a Linksys Wireless Router, plugged it into the LAN port in his office, and is using that wireless router so that he can walk around the hospital with his laptop and still be on the network. The hospital, as I'm sure you can imagine, is pretty upset with this, as it poses a security breach on the network. They realize that the wireless router belongs to the doctor, and that he's likely not going to remove the device from the network, nor implement any security features on the router (i.e. SSID / Encryption). From what I'm told, this is a dilemma that the hospital wants to close down as quickly as possible, and that the hospital wants to avoid this from becoming a "political issue" with the doctor.

When I was asked about my opinion on the issue, my only thought was that the hospital should enable port security on the switches, and essentially hard-code each PC's MAC address (either through programming the individual MAC address, or making the MAC address "sticky" to an individual port) to the switch, also making sure that the port is shut down if the MAC address is different than what is recorded in the MAC address tables. The hospital isn't thinking of installing wireless access points into the network as of yet, as it doesn't sound like they are ready for implementing that technology into their network. They don't feel that they can enforce a directive to the doctor to remove the wireless device from the network, and they don't feel that they could persuade the doctor to enable the security features on the wireless router.

I told my salesperson that doing the switch programming may take some time, and will likely cause a lot of work for the IT staff at the hospital. I guess I'm looking for any other information that might make this situation either easier to implement, or might be comparable to doing all of the switch programming for all of the individual ports. Any thoughts/ideas would be appreciated.

Thanks in advance!

Aaron

kschleppenbach · ‎08-09-2007

correction, HIPAA.

rossua994 · ‎08-12-2007

With a MAC ACL configured on the hospital switch ports which the doctor can access, it would be possible to block all network access via the linksys router, so long as it was being used as a Layer 3 device, ie its internet port was connected to the hospital switch. For example create a MAC ACL named block-router and apply it to switch ports 1-24 on the local switch which the doctor accesses :-

Switch(config)#mac access-list extended block-router

Switch(config-ext-macl)#deny host xxxx.yyyy.zzzz any

Switch(config-ext-macl)#permit any any

Switch(config)#interface range fa 0/1-24

Switch(config-if)#mac access-group block-router in

(xxxx.yyyy.zzzz = router MAC address)

If the doctor is using the router purely as a layer 2 device the situation is more difficult. If the doctor's switch supports Spanning Tree Protocol this will be on by default and enabling PortFast and Cisco BPDU guard on the hospital switch ports will prevent access, as these features ensure only an end-user workstation can be connected to a switch port.

The Layer 3 solution may at least cause some disruption to the doctor (eg. someone go in and change the L2 connection to an L3 connection when he's not there), until someone figures out a good Layer 2 solution.

ross.bagurdes · ‎08-12-2007

If I am not mistaken, I hear a lot of solutions that solve the problem of this one particular, special case of a doctor plugging in his LinkSys AP to the switch. this particluar problem is quite easy to solve. Just shut his port off!

As I understand it, the problem is more global. i.e. How does a network admin stop ANY user from doing this same thing the doctor is.

A policy is fine, but who will enforce it for all users? blocking the port is fine, but what will stop the user from plugging into a neighbors port? A mac address acl is fine, for blocking this particular doctor, but what will stop him from bringing in a different AP?

I think the problem that needs to be addressed is more global. Assuming that there is a policy that users may NOT bring in an AP and plug it into the network, the network admin must come up with a technical solution that enforces this policy, with the assumption that users will do it, and currently are doing it, with out the knolwedge of the Network Admin.

This is a tough case . . . . Short of NAC, 802.1x, or a Wireless solution that will block Rogue AP's the issue becomes more complicated.

I think dynamic port security is probably your best bet at this point, and have the port error disable when the Mac Address changes. Statically configing the Mac's on the switches is an administrative nightmare.

Even with the Dynamic Mac Address, it can be a problem, as a user will have to contact a network admin when their PC changes, or if they bring in a laptop. Plus you have to have some way to police what type of device is being plugged in, when a user does say that their Mac Address changed. This isn't too hard, as it is easy to look up the manufacturer of a NIC to determine if it is an AP or a NIC.

Knowing the MAC address on the network is a HUGE benefit, and is strictly why we use DHCP with Static IP assignment to MAC address.

-Ross