Hello,
How would you secure your network if you have devices (Wifi Access Points, Cameras, ...) installed in locations where physical access protection can't be provided (corridors, common rooms, ...) ?
Those devices have the common properties:
- most if not all are PoE powered,
- they hold a tag or label where MAC address can be read
- they can be easily unplugged
- they have a reset button
- they can provisioned once for all to send all outbound traffic in a couple of VLANs (so that default VLAN can, if necessary, be forbidden or corresponding switch port)
- they are plugged to an identified switch port ranges (ie all devices is plugged into Switch A/ports 1-15 or Switch B/ports 1-20 but precise device-to-Port mapping remains unknown during several days or weeks)
I foresee two cases:
1. someone equipped with a PC
2. someone equipped with some wiretapping equipment (switch with port mirroring, dedicated devices, ...).
A. How can you keep someone from discovering VLANs (from both above types) ?
B. Is it recommended to dedicate an Honeyspot VLAN that would:
- be set as the default VLAN on each "compromisable" switch port
- would provide a basic Internet connectivity
- would alert admin as soon as traffic would be detected on it
C. Thoughts ? Comments , Recommendations ?
Best regards