At work, a few weeks ago, we added a new network device. Instead of running another ethernet cable all the way out to where it was, I just put a switch out there to ‘split’ the one cable that was all ready at the location. Not only was that easier, it was also future-proofing, when we add more, the extra ports are there and ready to go.
At the same time I upgraded a another switch that was full from 8 ports to a 16 port switch, this way when we/as we get more network enabled devices, we’re not scrambling to find somewhere to plug them in and/or then doing some minor network upgrading.
After I did this, I noticed a major security hole in my network. It would be trivial for someone to bring a laptop into the building and plug it in (via ethernet cable) to one of the open ports or even attach a WAP to the switch I added on (it’s in a spot that’s not really visible).
FTR, I do use static IPs, but I recently turning on DHCP, because I have a few people that use (very few and very trusted) wireless devices (phones) and it was getting to be a PITA to program all the network info into their phones instead of just giving them the password.
Now, I’ve always been a huge fan of unmanaged switches. Plug them in and they just work. It’s like plugging a power strip into an outlet. It just works. No setting it up, no programming, no nothing. If there’s a problem with the network, the chances of it being with one of the (unmanaged) switches is nearly zero.
Now, with my realization of this security hole, not that I think anyone is going to breech it, but still, it got me thinking, I should probably find a way to turn off unused ports, and the answer seems to lie with managed switches.
So, my questions are:
Can I disable unused ports with a managed switch? It would appear that I can, but I’d like to be sure?
If I add another switch to one of the ports of the managed switch, it would also need to be managed as well, right? Maybe? Depends on the next question?
Even with disabled ports, someone could just unplug a cable and plug their device in? That means I’d have to use MAC filtering I think, but every device I’ve worked with has the ability to spoof the MAC address, so I guess the real question is: How do I keep unwanted devices off the network? In fact, that’s really the big question…how do I keep unwanted devices off my network? If I could do that, I’d be happy.
I’m reading about VLANs. Am I understanding correctly that if I setup a switch two have two VLANs, and, say, put a WAP on VLAN, people connected wirelessly will have zero access to anything on the other VLAN. Sort of like a guest network?
Does a managed switch act like a DHCP? If I use one, can I pull out my router?
Does a managed switch act like a firewall? Again, could I remove my router?
The managed switch I’m looking at does mention a firewall, but only in the sense that it was an access control list. ISTM, I’d have to get an actual firewall to go between the modem and the switch. Checking out (quickly) the manual for a switch, I may need a firewall (or actual router) for port forwarding as well.
A few things:
A)This is the switch I was looking at. Nothing special about it other than that I like Netgear, it’s got a good amout of ports and the price is right.
B)This is the firewall I found when I started thinking about it as I was typing this.
C)This isn’t happening any time soon, but someday I may need to do it and while I’m ‘good at computers’ and I can wire a network (and configure a router, blah blah blah etc), I’ve never dealt with a managed switch (or separate firewall and/or VPN/VLAN)
Also, why does the firewall have so many ports, is it meant to be a router also…it appears so, it would be nice it they just had a one port firewall. No need to (more or less) force me into having two DHCP servers when they know I’ll have to disable one of them…or cause headaches for people that don’t.