I work for a DoD agency and per the STIGs, we are to have a AAA server. Duh right? Why wouldn't you have one? Well we don't. It's coming in the next year or so, but for now we do zero AAA.
Our current workaround to use port security on all access ports. We set the max numbers of mac addresses to 3 and also use sticky mac. When one of those trips, the port goes err-disabled.
This gets to be a pain because there have been numerous times that we get called in on days off because someone switched ports on the switch and now they caused their port to go disabled. Even on days when we are in the office, 9 times out of 10 when our help desk calls on the network team for help, its because port security was tripped and needs reset.
I was talking to my supervisor and asked why we can't just take it off since no where in the STIGs does it say anything about port security or sticky mac. He says because its our workaround since we have no AAA server.
I can't seem to grasp how this makes any sense. Using a AAA server authenticates clients who are authorized to be on our network, and blocks anyone else, among other things. Port security and sticky mac do nothing to keep unauthorized users off the network. It basically just doesn't allow the same mac to be on different ports and only allows so many mac addresses on one port. We still manually check all users on the network and reference a list of approved clients that gets updated every so often. So I am having a hard time understanding how port security and sticky mac is a temporary alternative for a AAA server. When we do our STIGs, we still mark the these ones as open, even though this is our workaround.
Does this also not make sense to you guys, or am I just crazy? The funniest part about the whole thing is when it trips, we just reset it, no questions asked. We actually have automated scripts running to clear port security and sticky mac once a day so its less we have to worry about it.
No comments:
Post a Comment