An unmarked computer with an encrypted drive was found in the Icelandic Parliament building recently. It has no markings, no fingerprints, no serial numbers, and the police who discovered it powered it down without taking a forensic image of the contents. This computer was attached by an unknown party directly to the internal network for the Icelandic government.
This is an excellent example of the necessity of proper physical security in a network environment. All of the firewall mojo in the world is useless if someone can just plug anything they like into your network, or (even worse) connect to it from the outside using an official or rogue wireless access point.
So, how would you defend against an attack like this?
One possibility would be to use managed switches with 802.1x capability; this requires each device connected to the network to be authenticated against a RADIUS server. If you’re especially paranoid, you can require multifactor authentication using smart cards or tokens to ensure that authentication with a stolen passphrase is impossible.
A simpler route would be to only “light up” network ports that have been requested, in writing, with the names of the requestors recorded in a central repository. MAC locking can be used to make sure that only the approved device is used in that port. This isn’t as bulletproof, of course – you’re expecting all employees to follow a procedure 100% of the time, you need to make sure the ports that are no longer in use are turned off, and a sophisticated attacker would clone an authorized MAC address and use it on another device. But it’s still better than nothing.