Tips #9 - The Sacrificial Port and Admin vlans

One thing I have discovered in my attempt to be secure is the use of Admin vlans.  An Admin vlan is a vlan that you use to limit changes to your network.  This is for internal network infrastructure protection. There are a couple of important points about this:

• Each router, Managed Switch, and Type 1 hypervisor that you have in your network is configured so that changes can only be made from the Admin vlan.
• All ACs/Rules setup in the network enforce the Admin vlan to be separate from all others and enforces the items in this list.
• You set up connections throughout the network so that you have to be physically connected to an Admin vlan port to make changes to any infrastructure elements in the network.
• We have a port on each device dedicated to the Admin vlan, but the Admin vlan is allowed to traverse between devices only on Trunk lines and those lines are physically protected as much as possible.
• All connections on the Admin vlan devices have to be encrypted; this is a zero trust approach.
• Encrypted Certs are controlled by a local Certificate Authority (CA) that is usually offline.
• The Admin vlan port is called the Sacrificial Port because that port is only used for the purpose of getting to the Admin vlan.
• The sacrificial port is protected with an 802.1x/Radius connection by MAC address; if you aren’t supposed to be there you shouldn’t be allowed to get in.
• The sacrificial Port is also there to make sure you can still control infrastructure devices if part of the network becomes unresponsive.
• The Sacrificial Port is also protected by a keyed Ethernet dust plug (suggest the color Red); key is necessary to take the plug out of the device.