security on network, 801.1x,vlans,or?

Started by madrivermadonus, October 02, 2022, 02:39:39 AM

Previous topic - Next topic

madrivermadonus

Hello

I have a Cisco cbs250 switch and I am trying to find out the best practices to add more secutity on my network without adding a firewall.
I have isp's router, a Cisco cbs 250 switch, a nas, ipcameras, 3 desktops and 4 laptops.
First I thought to create VLANS to segment the LAN but I will lose access to every device (e.x. ip camera, nas)

Second I thought to disable dhcp on the router and make ip and mac binding as the best practice for security in case that "someone" disconnects the outside camera and add a laptop to get in my LAN. Ofcourse this is dysfunctional for adding new users but it is more secure because it is forbitten to add new device in the LAN without adding through router in the ARP table.

Third I thought to create ACL's but this helps to routing (permit/deny) from specific users (ip's) to another. I think this cannot helps to upper camera scenario.

It would help if switch supports dynamic vlan (mac based) but it doesn't (only 350 series) and if I could add security per port by adding maximum devices per mac as "1" so if "someone" add a laptop (new mac) he will be locked out.

There are several ways to add security but I am intersted to make some kind of rule to a specific port that it will allows only the camera to connect in network and in case that "someone" connect a new device he will be banned out of lan.

Please I want your ideas and suggestions
Thank you 


Dieselboy

I think what you are describing is NAC (Network Access Control). One open-source tool I know about that can help is packetfence.

deanwebb

A static MAC address binding on ports with static devices, like the webcam, is perfectly all right, as you won't be interchanging those devices very often and they're only associated with those ports.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.