• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Options for restricting ALL (not just HTTP) internetwork access

E

EyeMWing

Banned
Why is a VERY long story, but the physical setup is very easy to explain.

The external network in question is ethernet. Our internal network is also ethernet. We have a VAST array of hardware we could potentially throw in between - ranging from purpose-built PC routers, to consumer routers, to Cisco 2500-series routers. However, our situation requires us to restrict traffic through those routers to stations where certain authorized users are logged on. Unauthorized users will use the same stations, so authorization CAN NOT be done on a per-PC basis.

We have an ActiveDirectory setup in place which we would like the authentication to be based off of if possible (though this is by NO means neccessary), and by the time this goes to implementation, will run Windows Server 2003 R2 on all our domain controllers and servers. We are not in a position to purchase any further software (i.e. ISA server), though we are willing to double up roles on one of our existing Win2k3 servers, and can use as many Unix/Linux/whatever is neccessary systems to accomplish this.

We also have a programmer available who learns quickly - if we need to code anything in any language, we can get him to do it. And it is COMPLETELY AND TOTALLY ESSENTIAL that this be a 100% bulletproof method. If they don't have an authorized user account, they won't get a single packet through the router.
 
Originally posted by: spidey07
sounds like you need 802.1x.

If you are not authenticated, you cannot talkie-takie.
Click to expand...

Very interesting. IAS comes with 2k3 Enterprise, right? Or am I just engaging in some of that wishful Microsoft thinking?
 
All the documentation on 802.1x seems to relate to its use for wireless networks, but I'll see if I can't get a successful deployment in this environment.... That is, if I can find an 802.1x capable router package (our Cisco 2500's are out, since we don't have any ethernet WAN modules for them, and our stock of consumer routers all limits that availability to wireless)
 
well it's normally deployed at layer2 (your switches)

But it's roots in wireless are the same - no authentication, no talkie-talkie.

You can even take so far as "what AD group do you belong to?" and set policy from there.

it really all depends on what you want. I was a little confused by your original post.

You need to decide at what layer you want authentication to occur is what I'm saying and what you're trying to control.

If it is just internet access then maybe a proxy server would be better served. If you're trying to limit layer 2/3 access then 802.1x is for you as that is the only way to do it.
 
Too bad you can't buy any software, because ISA Server 2004 can do it perfectly and painlessly, by User, and can be set up with wizards for something like this. And it'd be bulletproof. I could install ISA and set access rights by Active Directory User Security Group in about an hour, total.
 
LOL.

Here is 4 months of Trial ISA Server, http://www.microsoft.com/isaserver/evaluation/trial/default.mspx

4 Months, and may be there would be budget.🙂

4 Months, and may be the ?powers? would be convinces that it worked well, and worth the investment.:thumbsup:

4 Months, and may be the business would make more money and can afford ISA.:beer:

4 month closer to the release of ISA 2006, and may be ISA2004 would be cheaper.:light:

4 Months, and may be there would not be a business and it would not matter.:thumbsdown:

:sun:
 
How bout trying Endian Firewall. Its a free Linux based firewall/router baed on ipcop. Take an old pc or server (it needs to have two nics). you can set it up to do Active Directory Authentication and only allow certain users or groups access. its a real handy device because you can use it as a cache server with content filter. give it a try
 
Originally posted by: RebateMonger
Too bad you can't buy any software, because ISA Server 2004 can do it perfectly and painlessly, by User, and can be set up with wizards for something like this. And it'd be bulletproof. I could install ISA and set access rights by Active Directory User Security Group in about an hour, total.
Click to expand...

That would ultimately be the best course of action. Unfortunately, since we're a non-profit, funds are very limited, and all funds are presently being allocated to the "we need a truck" account.
 
Originally posted by: blemoine
How bout trying Endian Firewall. Its a free Linux based firewall/router baed on ipcop. Take an old pc or server (it needs to have two nics). you can set it up to do Active Directory Authentication and only allow certain users or groups access. its a real handy device because you can use it as a cache server with content filter. give it a try
Click to expand...

Will look into it. However, it LOOKS like that only applies to HTTP because of the way it's phrased.
 
Originally posted by: EyeMWing
That would ultimately be the best course of action. Unfortunately, since we're a non-profit, funds are very limited, and all funds are presently being allocated to the "we need a truck" account.
Click to expand...
Not eligible for Charity Licensing from Microsoft? If you are, they almost give the stuff away.
 
Originally posted by: JackMDS
LOL.

Here is 4 months of Trial ISA Server, http://www.microsoft.com/isaserver/evaluation/trial/default.mspx

4 Months, and may be there would be budget.🙂

4 Months, and may be the ?powers? would be convinces that it worked well, and worth the investment.:thumbsup:

4 Months, and may be the business would make more money and can afford ISA.:beer:

4 month closer to the release of ISA 2006, and may be ISA2004 would be cheaper.:light:

4 Months, and may be there would not be a business and it would not matter.:thumbsdown:

:sun:
Click to expand...

:heart:
 
Originally posted by: JackMDS
4 month closer to the release of ISA 2006, and may be ISA2004 would be cheaper.
Click to expand...
I still haven't recovered from news that the first ISA 2006 Beta was released. The ISA 2004 Certification test only went live last June. I'm not in the mood to start studying for ANOTHER 3-hour exam quite yet!
 
This seemed like an interesting question, so I poked around a bit and found NuFW - it's basically a couple of daemons that sit on top of a standard linux iptables firewall, authenticate TCP SYN packets on a per-user basis, and then let iptables connection tracking take it from there. It has a number of authentication options, including system authentication through PAM. That might, with enough work, allow you to use pam_krb5 to auth the packets against MS AD.

I also played around with an eval version of ISA, because I've never used it before. And yeah, it's really a lot easier to accomplish what you want with that. But it looks like NuFW could work, and it's free.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top