PaulDotCom mailing list archives
Re: Locking down Ports and DHCP
From: Bugbear <gbugbear () gmail com>
Date: Thu, 29 Jul 2010 09:04:08 -0400
First and foremost get your company policies and procedures in place if you have not yet. Also, you will need "buy in" from the support staff because their helpdesk calls are going to increase. With that said, I would look at 802.1x Assuming you are a Windows shop and your switches support it (most modern switches do), take a look. I have leveraged it somewhat successfully. I personally do not do any NAP/NAC (remediation), I just very simply use Radius to auth the domain computers and domain users. If joined to the domain and a member of this group then they are on the production LAN, if not the switches will dynamically VLAN them to a Quarantine VLAN. What you do with "guests" is up to you from there. You can wait for the helpdesk call or you could provide restricted internet access. If the later, consider the appropriate egress filtering, logging, alerting, IDS, etc... Also consider using PAT to give that network a unique public IP. Lastly, consult your legal team to draw up some language for "guests" to click through via Web Auth/Captive Portal (most modern switches support this too). The language should note that your Company is not responsible / liable and you hold the right to monitor unencrypted traffic on the network (careful with what type of monitoring - headers verse full content) Most Printers, Scanner, AP's etc.. support 802.1x these days. An alternative (not a very good one) would be port security via the mac addr (but that will only keep the layman off). Now the part your probably going to struggle with. The supplicant. There are many. MS Windows XP SP3 and above has one built in and supports GPO control. There are also products like Juniper/Odyssey and Cisco Clean Access (Which i think just got EOL). They all suck (excuse me have their limitations). The Windows supplicant in Windows 7 seems to have been approved quite a bit however. In XP there were issues with legit end users being temp flipped to quarantine (while radius auth's them < the default behavior). Once flipping back and the DHCP client will sometimes not get an updated IP for that subnet. To date I have not found a workaround, except Windows 7. Also, if your admins are using logon scripts and not doing so through GPO they will need to as they will not run post Auth Other tech out there includes tracking/alerting after the fact (someone being on your network). Hope this helps Tim On Wed, Jul 28, 2010 at 5:36 PM, Tyler Robinson <pcimpressions () gmail com> wrote:
I am coming into an environment of over 1000 clients everything is setup DHCP except printers and servers I am trying to work towards a much more secure network but am at a loss of how to start locking down switches and DHCP I want to make sure no one is plugging in unauthorized devices or rogue devices for that matter so just wondering how everyone else is securing there networks as always pauldotcom listeners are the best and all help is welcomed. TR _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Locking down Ports and DHCP Tyler Robinson (Jul 28)
- Re: Locking down Ports and DHCP Denis Hancock (Jul 29)
- Re: Locking down Ports and DHCP Craig Freyman (Jul 29)
- Re: Locking down Ports and DHCP Josh Olson (Jul 29)
- Re: Locking down Ports and DHCP Tyler Robinson (Jul 29)
- Re: Locking down Ports and DHCP Butturini, Russell (Jul 29)
- Re: Locking down Ports and DHCP Bugbear (Jul 29)
- Re: Locking down Ports and DHCP Jody & Jennifer McCluggage (Jul 29)
- Re: Locking down Ports and DHCP Dahl, Kevin (Aug 05)
- Re: Locking down Ports and DHCP Butturini, Russell (Aug 06)
- Re: Locking down Ports and DHCP Dahl, Kevin (Aug 06)
- Re: Locking down Ports and DHCP Bugbear (Aug 06)
- Re: Locking down Ports and DHCP Dahl, Kevin (Aug 06)
- Re: Locking down Ports and DHCP Bugbear (Aug 06)
- Re: Locking down Ports and DHCP Butturini, Russell (Aug 06)
- Re: Locking down Ports and DHCP Dahl, Kevin (Aug 09)
- Re: Locking down Ports and DHCP Jody & Jennifer McCluggage (Jul 29)
- Re: Locking down Ports and DHCP Butturini, Russell (Aug 06)
- Re: Locking down Ports and DHCP Denis Hancock (Jul 29)