RE: prohibiting visitors from connecting to network

[amitk () ingvysyabank com]

Hi Cesar,

    Port Security is the solution where you dont need any 802.1x
authentication or certificates.... Port security helps you to prevent from
VLAN Hopping, MAC spoofing, etc... For futher security, Give static IP
address and allow that VLAN to go thru Proxy server to internet, so that you
can get logs for that time-period..... Check AV definition, Scan the machine
for Spyware before giving Internet access, etc....
    

Regards, 
Amit Kothari


IT Security Monitoring Team 
  _____  

(iGATE Infrastructure Management Services | http://www.igate.com) 

 

 



-----Original Message-----
From: Cesar Diaz [mailto:cesadiz () yahoo com]
Sent: Monday, October 17, 2005 3:53 AM
To: security-basics () securityfocus com
Subject: prohibiting visitors from connecting to network


List:

My company is looking for a way to prohibit visitors
to our offices from connecting a laptop to a network
port and gaining access to our network.  We have
policies in place prohibiting employees from allowing
this, and have network jacks in our conference
roomsthat are on a seperate VLAN that allows only
access to the Interent.  We still have problems with
visitors connecting to the network.  In one case an
infected laptop started spreading a virus in the
network.

Our network is W2K based and uses DHCP running on a
W2K server.  We do have some Unix and Linux boxes.

What I'm looking for is a way to secure DHCP so that
only our laptops/workstations can get a DHCP address. 
I was thinking of something like EAP used for remote
access with certificates to keep computers without a
certificate from receiving an IP address, but I can
find any information on implementing this.


Any ideas, resources or comments are welcome.

Thanks,

Cesar


                
__________________________________ 
Yahoo! Music Unlimited 
Access over 1 million songs. Try it free.
http://music.yahoo.com/unlimited/

Attachment: InterScan_Disclaimer.txt
Description: