I'm managing a small office with about 25 people, all using Windows laptops connected to a Windows Active Directory. Currently, we have MAC address whitelisting on our DHCP server, but it feels a bit inadequate. My boss and I are the only IT staff here. I've been reading about 802.1X for port security, but I'm worried that it might be overkill for our setup. Alternatively, I've heard about Cisco port security, which seems cumbersome since I need to update it every time we add a new device, and with our laptop refresh cycle being 5 years, our users don't move around a lot. Given this context, could MAC whitelisting still be a viable solution, or should I really consider a more sophisticated approach?
4 Answers
If you're really looking for a simple yet effective setup, try moving your DNS server to a non-standard IP and only allow traffic from devices assigned by your DHCP. This could help prevent unauthorized access unless someone is really trying to bypass it, which is a different level of threat altogether.
While 802.1X is a better long-term solution since MAC addresses can be spoofed easily, it depends on what you're willing to manage. If you're not changing devices frequently, Cisco port security might be sufficient, but just keep in mind you'll have to reset it if a device moves to a different port.
Honestly, 802.1X could work pretty well here, especially since everything is AD joined. It might not be as hard as you think, so I say go for it!
I recommend against just using MAC address filtering. It doesn't provide real security since anyone can assign themselves an IP manually if they gain physical access to the network. Consider integrating something like RADIUS for better control over which devices can connect.
Thanks! Do you think it’ll still work with older Cisco switches?