Security Basics mailing list archives
Re: Wired security improvements
From: Garry Baker <bakerga () yahoo com>
Date: Fri, 4 Jan 2008 02:49:22 -0800 (PST)
http://www.packetfence.org/ --- Jesse Rink <jesse-rink () wi rr com> wrote:
Hello all. I was hoping for some feedback on some improvement I'm hoping to make at a couple of clients as it relates to their wired network. A bit of a background... I do support for several K12 school districts. This, by its nature, changes the typical way security needs to be planned for and implemented. Obviously the biggest change is the mindset that the biggest security threat comes from the inside as opposed to coming from the outside. In particular I am looking at ways to minimize the potential of being exposed when it comes to students having accessibility to the physical network when they bring in their own laptops. Some schools I do work for have a policy in place that restricts students/staff from bringing in laptops. Some schools I do work for have a policy which allows students/staff to bring in laptops. The concern I am looking to address is finding a method to prevent students/staff from bringing in their laptop, plugging it into an active port and getting on the network. My concern is, a user who brings in a non-controlled device will have the ability to run whatever hacking/cracking tools they want, man in the middle attacks, etc. My experience with these tools tells me I only need 5 minutes at the most to start getting usernames and passwords from Kerberos hashes - I've done it and it was surprisingly easy. At that time, I can take my laptop offline, go home, and crack passwords easily enough. I have spoken at length with Aaron Royhans about this (he is a member on this mailing list) and we have come up with the same summation for the most part so I feel as if I'm on the right track at least. The following 5 methods are, as far as I see it, the potential options I have: 1. Lockdown switchports by individual MAC addresses 2. Implementing IPSec 3. 802.1x on the Wired network 4. A NAC device (HP, Cisco, etc.) 5. MAC Authentication via RADIUS I have put together a small spreadsheet detailing what I see, in MY environments, as pros and cons of each method. Pros and Cons include everything from how effective the solution is, to cost involved, to time involved, to ease of installation and continued support thereafter, etc. I need to implement something for approximately wired 500-900 computers depending on the size of the client. Costs need to be kept low. Time investment needs to be kept low. Those are the main priorities, however, I'm considering all options and avenues. As of now, I am leaning towards MAC Authentication via a RADIUS server, followed by IPSec. Ideally, I would like to implement both options in tandem to compliment each other. MAC Authentication via RADIUS to keep them off the network, IPSec to keep the communications secure. I believe MAC Authentication via RADIUS is an ideal choice for us because it seems like it would be the easiest of the methods to implement with minimal amount of configuration required and overhead. Setup the ports on the switches, add the MAC addresses to Active Directory, configure my IAS Server and that's pretty much a wrap. We pretty much effectively limit port-access to the network unless that MAC can be authenticated. Yes, I realize MACs can be spoofed, but, a student would first have to KNOW the reason they're being prevented access to the network is because of MAC based authentication. I think it's a stretch to think a student would guess that. Possible - sure. IPSec seems like a good option as well, but it doesn't prevent physical access to the network at all. It merely requires that both parties, client and server, communicate securely. If one doesn't, then there's no access. I am still a bit concerned that "man in the middle attacks" could potentially happen even with IPSec however based on what I've read... I have a lot of experience with 802.1x in a wireless environment and it works great. In a wired environment, I think it can add a LOT of complexities I'm not ready to tackle, especially when it comes to imaging, and clients/OS's that don't have a supplicant. It's also a complete PITA to get up and running, test fully, etc. So I think while, it's a lot better option than MAC Authentication via RADIUS as far as security is concerned, I personally feel the rewards are outweighed by the additional cost/setup/testing to get a fully wired 802.1x infrastructure in place. A NAC device seems like a nice option. But cost can be outstanding. I'm currently evaluating an HP NAC 800. Seems to do everything I'd want, but again, cost... cost... cost. Especially when you add in the appropriate licensing required on the clients. Likely would be over $20,000 or more. If you want to shed your $.02 on this, feel free. I ask however that you first go to http://www.w3si.org/securitymethods.xls and view the spreadsheet I put together with pros/cons. Again, this is based on MY environments so it may not coincide with environments you've seen in your travels. Thanks for reading. Jesse
Current thread:
- RE: microsoft updates Worrell, Brian (Jan 02)
- Re: microsoft updates Ansgar -59cobalt- Wiechers (Jan 02)
- Re: microsoft updates Vince Hall (Jan 02)
- Re: microsoft updates Alexander Klimov (Jan 03)
- Re: microsoft updates Vince Hall (Jan 02)
- Re: microsoft updates Ali, Saqib (Jan 02)
- RE: microsoft updates Worrell, Brian (Jan 02)
- Wired security improvements Jesse Rink (Jan 03)
- Re: Wired security improvements Kurt Buff (Jan 03)
- Re: Wired security improvements Andrea Gatta (Jan 03)
- Re: Wired security improvements Garry Baker (Jan 04)
- RE: microsoft updates Worrell, Brian (Jan 02)
- RE: microsoft updates Pranav Lal (Jan 03)
- RE: microsoft updates jmacaranas (Jan 03)
- Re: microsoft updates Ansgar -59cobalt- Wiechers (Jan 02)
- <Possible follow-ups>
- RE: microsoft updates David Harley (Jan 02)
- RE: microsoft updates Dixon, Wayne (Jan 02)
- Re: microsoft updates Ansgar -59cobalt- Wiechers (Jan 02)
- Re: microsoft updates Tom Yarrish (Jan 02)
- RE: microsoft updates Edward Ling (Jan 03)