Re: Locking down Ports and DHCP

[Bugbear <gbugbear () gmail com>]

Kevin

I'm not 100% sure what your asking. In my situation, we just check if
the computer/user has valid domain creds, if not we quarantine them.
Not valid means they are guest and not my responsibility to backup or
patch.

If you are doing full NAC/NAP with remediation, then those products
often provide a remediation server that offers patches/links to
patches (i.e. latest WIN patches, virus defs). Problem is if
user/guest doesn't have admin rights then what? In my opinion, just
easier to have guest jacks with air gaped network (could do vlan;ing
if you prefer) and limited internet access available.

Hope this clarifies some things.

Tim

On Thu, Aug 5, 2010 at 2:26 PM, Dahl, Kevin <Kevin.Dahl () ars usda gov> wrote:
> How do those of you who are using 802.1x solve the problem with patching
> and/or nightly backups ??
>
> K-Dee
>
>
> -----Original Message-----
> From: pauldotcom-bounces () mail pauldotcom com
> [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Jody &
> Jennifer McCluggage
> Sent: Thursday, July 29, 2010 8:00 PM
> To: 'PaulDotCom Security Weekly Mailing List'
> Subject: Re: [Pauldotcom] Locking down Ports and DHCP
>
> I agree with Tim about recommending  802.1x.  You can set it up so that
> the switches will not allow access until the end-user authenticates
> themselves on the network (via Windows RADIUS service, IAS,
> communicating with a domain controller).  The 8021.X clients on Windows
> XP SP3 and higher are pretty stable (it will work on lower versions but
> SP3 added some 802.1x improvements). As Tim pointed out, more and more
> embedded devices such as printers are now also supporting 802.1x.  For
> other embedded devices (older printers, copiers, UPS,  etc), you can
> utilize MAC address filtering.  This is less of an issue with these
> since they tend to be fairly static (i.e.
> they won't be moving around much) and usually have some additional
> compensating physical controls.  You will probably want to use MAC
> Address filtering with your servers too. 802.1x tends not to work well
> with servers since it requires authentication prior to granting port
> access.  If someone has physical access to the ports that your servers
> are using, port
> authentication is the least of your problems!
>
> Also as Tim said, keep in mind that you are adding some additional
> moving parts so more things can go wrong (8021.x client issues, switch
> issues, or RADIUS server issues - over the years I have had to deal with
> all three at one time or another but nothing real major).  That being
> said, except for the occasional minor headache,  I have had very little
> issues with it over the years. Also keep in mind that the workstation
> will not have access to the network until the user authenticates with an
> approved domain level account.
>
> Let me know If you want some examples on how to set up using Cisco
> switches and Windows workstations and radius/domain server.
>
> Jody
>
>
>
> -----Original Message-----
> From: pauldotcom-bounces () mail pauldotcom com
> [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Bugbear
> Sent: Thursday, July 29, 2010 9:04 AM
> To: PaulDotCom Security Weekly Mailing List
> Subject: Re: [Pauldotcom] Locking down Ports and DHCP
>
> First and foremost get your company policies and procedures in place if
> you have not yet. Also, you will need "buy in" from the support staff
> because their helpdesk calls are going to increase.
>
> With that said, I would look at 802.1x
>
> Assuming you are a Windows shop and your switches support it (most
> modern switches do), take a look. I have leveraged it somewhat
> successfully. I personally do not do any NAP/NAC (remediation), I just
> very simply use Radius to auth the domain computers and domain users.
> If joined to the domain and a member of this group then they are on the
> production LAN, if not the switches will dynamically VLAN them to a
> Quarantine VLAN.
>
> What you do with "guests" is up to you from there. You can wait for the
> helpdesk call or you could provide restricted internet access. If the
> later, consider the appropriate egress filtering, logging, alerting,
> IDS, etc...
> Also consider using PAT to give that network a unique public IP. Lastly,
> consult your legal team to draw up some language for "guests" to click
> through via Web Auth/Captive Portal (most modern switches support this
> too).
> The language should note that your Company is not responsible / liable
> and you hold the right to monitor unencrypted traffic on the network
> (careful with what type of monitoring - headers verse full content)
>
> Most Printers, Scanner, AP's etc.. support 802.1x these days. An
> alternative (not a very good one) would be port security via the mac
> addr (but that will only keep the layman off).
>
> Now the part your probably going to struggle with. The supplicant.
> There are many. MS Windows XP SP3 and above has one built in and
> supports GPO control. There are also products like Juniper/Odyssey and
> Cisco Clean Access (Which i think just got EOL).
>
> They all suck (excuse me have their limitations). The Windows supplicant
> in Windows 7 seems to have been approved quite a bit however. In XP
> there were issues with legit end users being temp flipped to quarantine
> (while radius auth's them < the default behavior). Once flipping back
> and the DHCP client will sometimes not get an updated IP for that
> subnet. To date I have not found a workaround, except Windows 7.
>
> Also, if your admins are using logon scripts and not doing so through
> GPO they will need to as they will not run post Auth
>
> Other tech out there includes tracking/alerting after the fact (someone
> being on your network).
>
> Hope this helps
>
> Tim
>
>
>
> On Wed, Jul 28, 2010 at 5:36 PM, Tyler Robinson
> <pcimpressions () gmail com>
> wrote:
> > I am coming into an environment of over 1000 clients everything is
> > setup DHCP except printers and servers I am trying to work towards a
> > much more secure network but am at a loss of how to start locking down
>
> > switches and DHCP I want to make sure no one is plugging in
> > unauthorized devices or rogue devices for that matter so just
> > wondering how everyone else is securing there networks as always
> > pauldotcom listeners are the best and all help is welcomed.
> >
> > TR
> >
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom () mail pauldotcom com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com