Switch security when in an unsecured location

Question

I have a situation where I'm required to install a switch in a location that is physically insecure and has guests coming and going. It is in the audio rack of a sound desk at a facility that has lots of non-staff members that have physical access to it.

It is a HP ProCurve switch. I plan on taking the following precautions, but am looking for any loopholes I may have missed:

Disable the physical device reset buttons on the front of the switch (in software), not with epoxy
Disable all ports that are not in active use
Port-based VLAN for the active ports that take them off the main network and onto a less trusted network (but cannot go to a dmz-style totally untrusted network)
Leave two ports enabled that go immediately to a captive portal on a guest VLAN for, well, guests. (the use of these ports will be publicly documented)
Port-based 802.1X authentication based on known MAC addresses for the active, non-guest ports
The uplink port will use 802.1q trunking with a native VLAN that is unused.

The cabling will be static. It will virtually never change, apart from the two guest ports.

I know for a fact that due to the sort of people that come through the location that they will be curious to see what's on the switch, and I don't want them getting into the protected part of the network unless they actively attempt to subvert the security. (And if they do that, then that's a question for security.se)

I would look at either static cables for the guest ports or use a patch panel for them to avoid wear and tear on the physical switch ports. — some_guy_long_gone, Aug 15 '14 at 10:51
Did any answer help you? if so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you could post and accept your own answer. — Ron Maupin, Jan 04 '21 at 00:32

score 5 · Answer 1 · answered Aug 15 '14 at 05:10

5

I'd use a patch panel protector if port security was a real issue.

Of course, this depends on the access needed, frequency of physical port changes, and the composition of the rest of the rack/enclosure.

enter image description here

answered Aug 15 '14 at 05:10

ewwhite

369
3
13

1

This approach does not adequately give any protection at all. It might deter some unknowledgeable malicious people but it really gives a false sense of security. It would be quite easy to open this type of enclosure by means of lock picking or even a drill/hammer/wedge. – ponsfonze Aug 15 '14 at 11:54
@ponsfonze in the question I state that my current scope is to keep out curious parties. I think this would do quite well to keep them out. I'm not concerned with people who want to actively subvert the network in the scope of this question. – Mark Henderson Aug 17 '14 at 02:01

score 4 · Answer 2 · answered Aug 15 '14 at 05:02

4

You also need to consider console port security - ie making sure AAA is enabled on the console. If the ProCurve doesn't support AAA on the console port, then make sure the login password for the console line is strong (and maybe rotated every 90 days or so).

answered Aug 15 '14 at 05:02

John Jensen

8,997
4
29
47

Good point. We authenticate against a RADIUS server anyway but it's good to have it physically noted for future reference. – Mark Henderson Aug 15 '14 at 05:06

Switch security when in an unsecured location

2 Answers2