By Published on

Employee wants to use his own network hub/switch

An employee comes to you and asks if he can bring his own hub or switch so he can have one more ethernet socket for another computer. As a CISO, would you allow that? 

How would you reason when not allowing or allowing it?

This one seems to be simple, right?

Standard approach

The safest decision for you as a CISO is to say no — and this is not about distrust of the employee, but about risk management. Why take the risk? We know that many things can go wrong with a non-managed network device. You can trust the employee, but malware knows no trust.

“Allowing personal switches turns one controlled access point into multiple uncontrolled ones. It undermines network security, monitoring, and compliance. The correct solution is to provide additional ports through IT.”

If we skip the topic of hub vs. switch knowing that a hub can do much more damage than a switch, for many reasons, we can get more creative and try to find a workable solution. What if we deal with a temporary situation here, a project, a test, a lab for which another small, portable switch is all we need?

Will we insist on security, integrity and availability issues? Or we can actually create a "soft" rule and try to help?

More nuanced approach

First, let's start with hub vs. switch:

  • allow personal hub? no (if allow a network device then switch is a better choice)
  • allow personal switch? yes, but under certain conditions (see below)

Now, let's define the rules.

Definition: personal switch

personal switch is a small, unmanaged Ethernet switch temporarily used to connect multiple company-owned devices to a single existing network wall port, when additional ports are needed for work purposes.

A personal switch must:

  • operate only at Layer 2 (Ethernet switching)
  • jave no routing, NAT, or firewall functionality
  • have no DHCP server
  • have no wireless (Wi-Fi) capability
  • use exactly one uplink to the company network
  • be unmanaged or management-disabled
  • be used temporarily, not as a permanent installation

The following are not considered personal switches and are not permitted under this policy:

  • wireless access points or routers,
  • devices providing DHCP, NAT, or internet sharing,
  • “smart” or managed switches with configuration enabled,
  • switches connected to more than one wall port,
  • devices used to interconnect multiple network segments or rooms.

A personal switch:

  • does not extend network privileges,
  • does not change VLANs or security zones,
  • does not replace permanent network infrastructure,
  • exists solely to temporarily increase port availability at a desk

What IT should provide (or approve)

Approved device

  • IT-provided or IT-approved unmanaged switch,
  • no Wi-Fi capability,
  • no routing, NAT, or DHCP,
  • labeled “temporary personal switch”
  • one uplink only,
  • exactly one cable to the wall,
  • no daisy-chaining of switches.

Employees rules

Allowed / required

  1. only company-owned devices

    • laptops, PCs, IP phones, test equipment,
    • no personal devices, ever.

  2. Use only one wall jack

    • one switch → one wall port,
    • if more ports are needed → contact IT.

  3. disconnect when no longer needed

    • end of project,
    • end of visit,
    • end of temporary role.

  4. Label the switch showing

    • owner,
    • purpose,
    • expected removal date.

  5. Report problems immediately

    • network instability,
    • port disabled,
    • slow or unreliable connectivity.

What employees MUST NOT do

Explicitly forbidden (these are the real risks)

  1. no Wi-Fi access points

    • even if “just temporarily”,
    • even if “password protected”.

  2. no loops

    • never connect two ports of the switch together,
    • never connect it to two wall ports.

  3. no personal or unmanaged devices

    • home laptops,
    • IoT devices,
    • Raspberry Pi / lab gear without approval.

  4. no permanent installations

    • no mounting under desks,
    • no hiding in cable trays.

  5. no reconfiguration

    • don’t enable “smart” features,
    • don’t change VLAN, QoS, or spanning settings (if present)

Final words about the rules (the policy)

This policy:

  • acknowledges real work needs,
  • preserves network predictability,
  • keeps responsibility clear,
  • reduces “shadow IT”.

It aligns policy with technical reality instead of fighting it.