Recently someone asked me, “What can I do to secure my physical network?” Almost immediately, I offered the standard suggestion of implementing a NAC. Normally the next question I get is “What is a NAC?”, and then I go into what it is, and what it can do. However, this time I was given a response I don’t normally get. The person I was talking to was knowledgeable, and I was told that NAC was not an option because they have little to no budget, and no resources to manage it. So I started thinking, what other options are out there short of unplugging the ports from the switch?
After a few Google searches, I found RJ-45 jack locks. Traditionally, these are used for securing patch panels, but there is nothing that prevents them from being used for open ports around the office. RJ-45 jack locks are relatively inexpensive and easy to put in place. The only issue with implementing these locks is in the management. There is the possibility that once a jack lock is removed, it may not get replaced.
Maybe you are the kind of company that consistently has contractors or guests that need to connect to your network. And maybe you don’t have wireless available; then the RJ-45 lock is not the best option.
In that case, in my opinion the best solution would be to segment your network. You could place all "extra" switch ports in a VLAN that has its own DHCP server and doesn't route to anything else on your network. Setting up rules on a firewall that would only allow ports 80 and 443 outbound can also help secure the VLAN. Then monitor that DHCP server for any leases and track down where people are randomly plugging in.
Finally, there is the option of using MAC address filtering. Within Windows 2003 and 2008 Server, there is a callout DLL that will take a systems MAC address that is asking for an address, and compare it with a white-list of MAC addresses that should have access to the network. If the MAC address is not listed, then access will not be granted. This can help if you are trying to prevent users from plugging their network device to an open network jack, and it can help with users who want to bring their personal device, and connecting it to the wireless network. A down side to this is the creation of the white-list. Depending on the size of the company gathering MAC addresses from all machines can be a long tedious task.
So in summary, if you are looking to secure your network, there is more than one way to do it. A NAC solution may still be the best bet for a number of companies, but when budget and resources are limited, RJ-45 jack locks may prove a creative, inexpensive solution. If managing jack locks is too challenging, segmenting your network or implementing MAC address filtering is an effective course of action as well.