Re: Wired security improvements

[Garry Baker <bakerga () yahoo com>]

http://www.packetfence.org/

--- Jesse Rink <jesse-rink () wi rr com> wrote:

> Hello all.
>
> I was hoping for some feedback on some improvement
> I'm hoping to make at a
> couple of clients as it relates to their wired
> network.
>
> A bit of a background...
>
> I do support for several K12 school districts. 
> This, by its nature, changes
> the typical way security needs to be planned for and
> implemented.  Obviously
> the biggest change is the mindset that the biggest
> security threat comes
> from the inside as opposed to coming from the
> outside.
>
> In particular I am looking at ways to minimize the
> potential of being
> exposed when it comes to students having
> accessibility to the physical
> network when they bring in their own laptops.  Some
> schools I do work for
> have a policy in place that restricts students/staff
> from bringing in
> laptops.  Some schools I do work for have a policy
> which allows
> students/staff to bring in laptops.  
>
> The concern I am looking to address is finding a
> method to prevent
> students/staff from bringing in their laptop,
> plugging it into an active
> port and getting on the network.  My concern is, a
> user who brings in a
> non-controlled device will have the ability to run
> whatever hacking/cracking
> tools they want, man in the middle attacks, etc.  My
> experience with these
> tools tells me I only need 5 minutes at the most to
> start getting usernames
> and passwords from Kerberos hashes - I've done it
> and it was surprisingly
> easy.  At that time, I can take my laptop offline,
> go home, and crack
> passwords easily enough.  I have spoken at length
> with Aaron Royhans about
> this (he is a member on this mailing list) and we
> have come up with the same
> summation for the most part so I feel as if I'm on
> the right track at least.
>
> The following 5 methods are, as far as I see it, the
> potential options I
> have:
>
> 1. Lockdown switchports by individual MAC addresses
> 2. Implementing IPSec
> 3. 802.1x on the Wired network
> 4. A NAC device (HP, Cisco, etc.)
> 5. MAC Authentication via RADIUS
>
> I have put together a small spreadsheet detailing
> what I see, in MY
> environments, as pros and cons of each method.  Pros
> and Cons include
> everything from how effective the solution is, to
> cost involved, to time
> involved, to ease of installation and continued
> support thereafter, etc.
>
> I need to implement something for approximately
> wired 500-900 computers
> depending on the size of the client.  Costs need to
> be kept low.  Time
> investment needs to be kept low.  Those are the main
> priorities, however,
> I'm considering all options and avenues.  
>
> As of now, I am leaning towards MAC Authentication
> via a RADIUS server,
> followed by IPSec.  Ideally, I would like to
> implement both options in
> tandem to compliment each other.  MAC Authentication
> via RADIUS to keep them
> off the network, IPSec to keep the communications
> secure.
>
> I believe MAC Authentication via RADIUS is an ideal
> choice for us because it
> seems like it would be the easiest of the methods to
> implement with minimal
> amount of configuration required and overhead. 
> Setup the ports on the
> switches, add the MAC addresses to Active Directory,
> configure my IAS Server
> and that's pretty much a wrap.  We pretty much
> effectively limit port-access
> to the network unless that MAC can be authenticated.
>  Yes, I realize MACs
> can be spoofed, but, a student would first have to
> KNOW the reason they're
> being prevented access to the network is because of
> MAC based
> authentication.  I think it's a stretch to think a
> student would guess that.
> Possible - sure.
>
> IPSec seems like a good option as well, but it
> doesn't prevent physical
> access to the network at all.  It merely requires
> that both parties, client
> and server, communicate securely.  If one doesn't,
> then there's no access.
> I am still a bit concerned that "man in the middle
> attacks" could
> potentially happen even with IPSec however based on
> what I've read... 
>
> I have a lot of experience with 802.1x in a wireless
> environment and it
> works great.  In a wired environment, I think it can
> add a LOT of
> complexities I'm not ready to tackle, especially
> when it comes to imaging,
> and clients/OS's that don't have a supplicant.  It's
> also a complete PITA to
> get up and running, test fully, etc.  So I think
> while, it's a lot better
> option than MAC Authentication via RADIUS as far as
> security is concerned, I
> personally feel the rewards are outweighed by the
> additional
> cost/setup/testing to get a fully wired 802.1x
> infrastructure in place.
>
> A NAC device seems like a nice option.  But cost can
> be outstanding.  I'm
> currently evaluating an HP NAC 800.  Seems to do
> everything I'd want, but
> again, cost... cost... cost.  Especially when you
> add in the appropriate
> licensing required on the clients.  Likely would be
> over $20,000 or more.
>
> If you want to shed your $.02 on this, feel free.  I
> ask however that you
> first go to http://www.w3si.org/securitymethods.xls
> and view the spreadsheet
> I put together with pros/cons.  Again, this is based
> on MY environments so
> it may not coincide with environments you've seen in
> your travels.
>
> Thanks for reading.
>
> Jesse