Lock Down Your Switch, or Else!

Locking down your switch is one of the most important steps to do (for the network engineer) or verify (for the IT auditor). Indeed, restricting physical access to your network to only those authorized is paramount. Further, it is a requirement of PCI DSS (9.1.2. Restrict physical access to publicly accessible network jacks) and ISACA (P8 Security Assessment—Penetration Testing and Vulnerability Analysis - 6.1 Rogue Access Jacks)

Looking at this from both an operational and assurance mindset, it is equally important to ensure physical access control. But, as I am sure you are aware, importance is relative. How often is PCI DSS 9.1.2 given a checkmark for compliance on either your Self-Assessment Questionnaire or on-site assessment?

From an audit, and even an engineering perspective, it is really a best practice to lock down your switches and disable any ports not in use, especially those going to areas where people may have easy, unattended access to the network.

Of course, for those in site support who may have to set up new user connections, it is quite cumbersome if the ports they need to plug their patch cables into are disabled. Indeed, instead of patching their cable and being on their merry way they now need to create that dreaded change request!

When you are on the operational side - and are feeling the pain - it is hard to see the merit of going through these processes. But, when you realize that there is a reason why the change request asks for business impact and, in many cases, will need business approval you start to see a pattern. The work we do is not in a vacuum - it supports the business. To that end, we need to be cognizant of what we are doing and what the risks are to the business.

So, the next time you need to patch in a new user and the port is disabled. Don't get mad (and, please, don't get even!) - just be glad that someone out there is doing what he/she can to keep your business secure. Now it is your turn.