Hey all! So, I am working on a project to implement network access control and our Security teams have requested that we also secure our trunk ports. Primary Scenario is as follows: a number of our wireless APs are utilizing a trunked interface to extend L2 domains to our wireless SSIDs. Some of these ports are physically accessible to end-users, and there are frequently cases where users will unplug the AP and connect a laptop/desktop/etc..
What options/best practices exist to prevent a knowledgable end-user, or worse, a threat-actor, from attempting to do this and obtain unfettered access to our network?
To be clear, we are already implementing a black-hole native VLAN, switchport nonegotiate -- what other solutions exist to prevent unauthorized access on these non-NAC'd interfaces?
No comments:
Post a Comment