11
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 24 Jul 2024
11 points (92.3% liked)
networking
2776 readers
1 users here now
Community for discussing enterprise networks and the ensuing chaos that comes after inheriting or building one.
founded 2 years ago
MODERATORS
There are ways to try to identify the device connecting to the network. But that doesn't prevent a third party from spoofing an appropriately authenticated device and monitoring and collecting traffic as well as injecting traffic. It just raises the difficulty
Over networks, or access points, that are intrinsically unsafe, the current gold standard is to require clients transiting those networks to then use a VPN. So internal Wi-Fi, with access only to a wire guard server, and your wireless clients connect to the wire guard server.
Even if a malicious actor takes over the access point, or compromises the ethernet cable itself, the traffic will be encrypted, and only authenticated clients will be able to actually access your infrastructure.
So you would enforce a VLAN onto the port that the access point has access to, and then that VLAN can only access the UDM wireguard server.
Some devices will let you specify a list of allowed MAC addresses per port. I believe ubiquity does allow this.
Some devices will have a whole port security protocol, if they see a Mac address that hasn't been authenticated, the port is put into violation requiring an admin to physically validate it after visiting the port to make sure nothing nefarious happened. I do not believe ubiquiti has this