4 Posts
0
6750
Dell Dock WD15 and Port Security
To our annoyance, our network team imposes port security at our location. Any "accidental" sharing of ports, shuts down the port. After newly purchased Dell Dock WD15s, we presumed that they would shield us by broadcasting the same mac address regardless of the laptop connected to the Dell Dock. That didn't happen. The ports still shut down when a new laptop is introduced to the same connected Dell Dock. How is this possible and is there a way to share laptops on the same Dell Dock without triggering port security?
jphughan
4 Operator
4 Operator
•
14K Posts
0
December 13th, 2018 20:00
The WD15 supports MAC Address Passthrough, which means that if the system supports it as well, the Ethernet port on the WD15 "adopts" the MAC address of the system's own built-in Ethernet interface rather than using its own. The idea behind this feature is that some companies use things like MAC address-based access policies and/or DHCP reservations, so they want to be able to consistently identify a given system by a single MAC address no matter what dock it's using, or even whether it's connecting to the network via dock or the system's built-in Ethernet connector. Some systems that don't even have an actual Ethernet port built-in still have an internal MAC address that they will pass through to docks specifically for this purpose of being consistently identified across multiple docks.
I think there's a way to disable this in the system's BIOS, but you'd have to do it on every system's BIOS. Or you might want to talk to your IT/Network Engineering team about rethinking this policy, for a few reasons:
- If you already need to connect multiple systems to the same dock, then if you didn't have a dock at that location at all, you'd still end up "sharing" that port and triggering this policy because you'd end up using the built-in Ethernet port on those systems. That means this policy is at odds with business needs.
- The legacy E-Port docking stations didn't have a specific MAC address assigned to the dock at all (unlike the WD15, which does if it doesn't get overridden by the system), so once again if you need your laptops to be mobile across docks, I don't understand how this network policy hasn't created a problem for you in the past. And once again, that puts this policy at odds with business needs.
- If you DID disable MAC Address Passthrough so that the dock's MAC address was always used and thus abstracted the system that was connected to it, that would defeat the spirit of this policy because you'd still be "sharing" the port; the network just wouldn't be aware of it anymore. So perhaps you could use that to point out that this port sharing policy is both a) impeding legitimate use cases, and b) easily defeated by using a dock with the right configuration, or even a simple USB Ethernet adapter. Not exactly a combination that suggests a winning policy.
Digigaps
4 Posts
0
December 17th, 2018 08:00
WOW!! Thanks for being so thorough. I'm using your reply to bolster our complaints about the policy.
Unfortunately this is just another example of a security policy overriding business needs and forcing us into an overly expensive solution. Continuing with our 24 X 7 operation shift work environment without sharing desks will only incur additional costs to our client.
Thanks again.
jphughan
4 Operator
4 Operator
•
14K Posts
1
December 17th, 2018 09:00
Glad I could help, and good luck with your efforts. I work in IT myself, so I can see both sides of this issue. IT is relied on to provide security even in environments where users don't think about it nearly as much as they should, so there will inherently be security measures that users will find inconvenient and that they may think is unnecessary if they don't understand the threat model that the security measure is meant to address. However, it's also certainly true that IT departments and even security do not exist in a vacuum. At the end of the day, IT has to support the business, not impede it, so you can't lock things down so tightly that people can't do their jobs to make the business run. It's certainly a balancing act, and in many cases there is no solution that's ideal for both sides of this discussion. That said, with this particular policy, again speaking as someone who works in IT myself, it just doesn't seem reasonable to me. It's so easily subverted (again, even a USB Ethernet adapter could be shared in this case), and if your office requires people to share the same desk/dock, then it's not appropriate to lock ports down to a single MAC address. That's something that's more commonly employed for switch ports that are used for scenarios where the device on the other end of the switch port doesn't change on a routine basis, like servers in a datacenter.
If your IT department wants to clamp down on unauthorized network usage, there are far better ways to do that, like 802.1X port security. That's definitely more complex to set up and will require coordination between the network and workstation/server administration teams that will need to configure OSes to use it, but it will both a) allow legitimate use cases of port sharing, and b) more effectively block devices that shouldn't be on the network.
jphughan
4 Operator
4 Operator
•
14K Posts
0
April 16th, 2021 12:00
@kyle.porter Glad my earlier post was helpful, but I can't say I agree about best practice. I would argue that the value of being able to identify a given system consistently, regardless of which dock it uses to plug into the network or even regardless of whether it uses a dock at all as opposed to its built-in Ethernet interface, is much more valuable than being able to say, "Ok, we're seeing network traffic from Dock XYZ, although we have no idea what actual system is generating that traffic through the dock."
If you truly want to say, "This specific switch port should only accept traffic from this specific MAC address", I guess I can see why disabling MAC Address Passthrough would be appealing. But that leaves a much more fundamental security concern unaddressed, which is that any actual system can now use that dock to get on your network. The same problem exists if you use USB Ethernet adapters. Who cares what specific adapter is being used to plug into your network? The much larger concern is what system is using that adapter (or dock) in order to do so.
MAC Address Passthrough makes a lot more sense if you pair it with something more scalable than one-to-one switch port/MAC mappings, like 802.1x port security and a RADIUS server. In that setup, your trusted systems would all have their MAC addresses registered, and then they will be trusted regardless of which dock/adapter they use for connecting to the network, since MAC Address Passthrough will be involved, while unknown systems will NOT be granted network access, even if they use those same docks or adapters.
kyle.porter
1 Message
0
April 16th, 2021 12:00
Glad I found this. It will be immediately disabled in my enterprise. This goes against best practice that we are taught when designing a network. Yes it might be convenient for certain users but in general is a bad idea. Most network admins in large enterprises lock ports for security or compliance requirements. They also will typically enable bpdu guard at the edge to prevent switching loops. We don't need the dock to act like a switch.
Sincerely,
An Angry Network Admin