Connection to an enterprise LAN is often too easy
The enterprise LAN needs to be easy to use and reliable, however many people such as visitors, employees, cleaners, temporary staff, often have physical access to LAN sockets located in open workspaces such as:
- Open-plan offices
- Meeting rooms
- Hallways & corners (printers, kiosks, webcams...)
- Unlocked wiring closet rooms
Mobility can worsen the problem of having unauthorised users in your network, since users expect to be able to connect to any socket, in any room, easily. Often there is not enough Ethernet cabling leading to the use of hubs/un-managed switches, which provides even more opportunity for connection of unauthorised devices. Ethernet LAN network sockets may be accessible by employees, visitors, cleaning staff, electricians, etc. This is why one may wish to know what is connecting to your network, where, when, in order to prevent rogue users who might pose a security risk by introducing viruses, disrupting services, sniffing traffic, or accessing internal data and resources...
Dynamic cable and VLAN management
Cabling is generally difficult to change and expensive.
Each time employees move office, it should be possible to automatically reuse the same cabling structure. Patch cables should also be documented, allowing the location of unauthorised devices to be pinpointed.
- Is Cabling documented?
- Does LAN management allow easy segmentation of PCs/Devices?
- Is cabling dynamically used, or are cables reserved per segment?
VLAN management should allow easy segmentation of PCs/devices and segments and should be configurable by helpdesk/1st level support instead of switch specialists. It should possible to configure new VLANs in minutes, not days.
- Do we know what is on the LAN?
- Can devices be identified, located and attributed to an owner? (i.e. live inventory)
- How do we enforce LAN access security policies, e.g. authorise or block end devices?
Visitor/Guest LAN access
- Can externals/ consultants /guests connect to your network without being able to access the Intranet (internal services, servers, resources)?
- Can such visitors be granted access in an easy and controlled manner?
- Are such visitors documented and tracked?