Physical security of an Ethernet port

[chrisgoforth23]

I work for a very large company that has many contractors that come in and out of the building. We are looking for a way to allow the contractors to come in with their laptops but to prevent them from plugging their laptop into any availible ethernet port. One of the suggestions was to find out if anyone out there makes a lock that you can slide into the Ethernet port on the laptop and lock it so that they can not plug a cable into it. Does anyone know if something like this does exist or not. Please help if possible.

[ProfessorU]

Usually, I'm a big fan of physical security. But seriously, if your IT guy proposed this, you should fire him and get a new IT guy.
Installing these locks (if they even exist) would only give you a false sense of security. Stick with usernames and passwords. Computers are getting smaller and smaller... I could sneak in a PDA and still access data. What if you want to go wireless in the future? What if I just hide a PCI card in my pocket and install it once I'm in the building?
Strange security measures usually only attract attention, anyway.

[CataclysmCow]

The whole idea is a little strange, but it's wierd that you'd consider putting the "lock" on the laptop and not the ethernet jacks. They aren't your laptops and what's to stop anyone from using another device.

Anyways you'd be much better off by using VLANs and authentication like 802.1x. Depending on your setup and requirements there could be other solutions (captive portal for instance), but this is generaly considered the proper way to do it.

If you want to actually physically disable the ethernet jacks there are products made for this. They are used in hotels, restaurants, etc. to physically limit access to the network. I'll see if I can find a link.

[chrisgoforth23]

I agree with everything that is being said but we are working as an outsourcing company and the company has stated that they want every jack available in the building to everyone that has a computer. Due to this we cannot disable the unused jacks we are attempting to work within the confines of the operating companies requirements. This is the best solution we can come up with in a short time frame. Everyone who enters the building is searched and any electronic products that they bring in are subject to network security requirements such as anti-virus, patches etc. However some of these laptops are not up to date with these patches and anti-virus and we are attempting to allow them in the building but prevent them from being on our network. This is the reason for looking for these types of locks. It is only a temp solution to the problem until we can get the operating company to approve us putting in a more permanent solution.

[AKP]

Passwords are ok, but why let an unauthorized user gain even that much access.
Cisco switches can be setup to allow only the MAC address registered with the administrator to enter your network fabric. Stop them at layer two.

[ProfessorU]

Very Smart, AKP. I think I should have suggested that option first.
It's tough to deal with clients that don't know what they're asking for. Good luck!

[alc6379]

I was going to suggest MAC filtering in this situation. You can either configure it in that situation at the switch level, or you can simply set the DHCP server in your network to only assign IP addresses to recognized hosts. From there, you should implement a proxy on your network so contractors could not get outside. I can quite easily see how if you're running a domain, a proxy, and MAC filtering, you would be in very good shape.

[104456]

The physical lock is not going to work in the long as its possible to use a pre asigned outlet with little effort on the transgressors part.The MAC blocking is a good alternative and/or the provision of connections external to your network and blocked by your internal server and firewall.