How would you secure your network if you have devices (Wifi Access Points, Cameras, …) installed in locations where physical access protection can’t be provided (corridors, common rooms, …) ?
Those devices have the common properties:
most if not all are PoE powered,
they hold a tag or label where MAC address can be read
they can be easily unplugged
they have a reset button
they can provisioned once for all to send all outbound traffic in a couple of VLANs (so that default VLAN can, if necessary, be forbidden or corresponding switch port)
they are plugged to an identified switch port ranges (ie all devices is plugged into Switch A/ports 1-15 or Switch B/ports 1-20 but precise device-to-Port mapping remains unknown during several days or weeks)
I foresee two cases:
someone equipped with a PC
someone equipped with some wiretapping equipment (switch with port mirroring, dedicated devices, …).
A. How can you keep someone from discovering VLANs (from both above types) ?
B. Is it recommended to dedicate an Honeyspot VLAN that would:
be set as the default VLAN on each “compromisable” switch port
would provide a basic Internet connectivity
would alert admin as soon as traffic would be detected on it
C. Thoughts ? Comments , Recommendations ?
802.1X is then the only way to go. But it depends on the sort of “endpoint” what capabilities are.
If the endpoint has a supplicant you can work with username/password/certificates but for real dumb devices MAC “authentication” is a minimum.
In additional to that, specific filtering indeed to control the dataflows to the essential.
PVLAN’s (Private VLAN, aka “Port Isolation”) would also be something possible.
In a PVLAN, there are mainly two types of ports :
Promiscuous port (P-Port) and Host port and the Host port further divides in two types – Isolated port (I-Port) and Community port (C-port).
Promiscuous port (P-Port): The switch port connects to a router, firewall or other common gateway device. This port can communicate with anything else connected to the primary or any secondary VLAN. In other words, it is a type of a port that is allowed to send and receive frames from any other port on the VLAN.
Host Ports:
Isolated Port (I-Port): Connects to the regular host that resides on isolated VLAN. This port communicates only with P-Ports.
Community Port (C-Port): Connects to the regular host that resides on community VLAN. This port communicates with P-Ports and ports on the same community VLAN.
So basically you could define the gateway/firewall/L3-switch as a P-port and each of your end-devices will be I-ports and fully isolated and can only speak with the gateway.
You then apply extensive FILTERING on this based on the dataflows in the requirements.
So I then “steal” your port and “spoof” the MAC-address and can not really do that much else then what is granted on the firewall.
Use access restrictions on the devices itself if they have it. By MAC, IP, and strong password(s).
MAC and IP of course are not that secure as everybody on his access device can change them.
To prevent unauthorized access via LAN/WAN: protect also on the router…
And: if possible on the devices, use notification messages to yourself (email, SMS etc.) when someone does a login on the device…
As a start, why don’t you configure a separate VLAN for the cameras that is untagged on the switchports where they are connected (and those ports have no other VLANs) so anything happening with the cameras or the ports where they are connected does not in any way affect your LAN.
In this same VLAN you put the recorder for the cameras, and if required you make a firewall rule that only allows outgoing connect from the LAN to the recorder and nothing in reverse.
Or, if the cameras are a cloud system you make a rule to allow access to internet from that VLAN but no communication with your LAN.
This requires no special facilities like 802.1x or PVLAN, it can be done with any cheap managed switch (like MikroTik). And you can configure port isolation when the switch offers it.