I am currently looking at upgrading the network switches at our school. We have multiple buildings, all connected to the central server room through a fiber optic network. The server room has multiple Windows Server 2008 servers. Presently, all of our switches are unmanaged. I am planning to begin swapping the main switches for each building soon with a "web smart" switch (D-Link DGS1224TP). This switch says it supports 802.1x port based access control. I am looking at POE switches for a future VOIP phone system and for access points.
My long term goal is to secure our wired network so that only networked devices with MAC addresses included on some type of "allow" list are allowed to connect (mainly to prevent students from connecting laptops). The problem is that a number of our classrooms have small unmanaged 8 port switches (specifically the D-Link DGS2208 switch). This seems to make securing the wired network more difficult. (I know that MAC addresses can be spoofed, I am mainly trying to make it more difficult for the average user to connect to the wired network).
My other long term goal is to install Ruckus wireless, with two SSIDs--one for students/teaching staff that allows access to internet only; and one for techs that allows access to internet and local network. I am hoping to setup Ruckus so that no type of MAC "allow" list is needed for wireless access, unlike the wired network.
Does anyone have any tips on how I might be able to secure this wired network setup? I had looked a little at Windows Server 2008 NAP and Packetfence, but was unsure if either of these are the best solution, and if they would negatively affect what I am trying to do with Ruckus. Ideally I would have managed switches everywhere, but our funds are very limited.
Other things to consider would be physical deterrents... PANDUIT|PSL-DCJB|RJ45 BLOCKOUT, X10 AND TOOL, RED | CPC work fairly well to block of spare network ports, but are a bit expensive if you've got lots of ports. Lots of people on these forums suggest snipping off the very end of the RJ45 "clip" so that it makes it hard for anyone without a small screwdriver to unplug a machine from the network (to plug their own in). You can also disable unused ports on your switches, a compromise between leaving them wired up and ready and being a risk, although I doubt that's an option for your little 8 port ones.
Last edited by Chillibear; 20th February 2010 at 08:33 AM.
Reason: tidy up