stopping people from plugging in to the network and accessing the net

[Brazen]

Anybody know if it is possible to configure a linux gateway/router so when an unapproved computer plugs into the network, it will be denied access to the internet?

Would using Squid as a transparent proxy be good for this? Going by domain membership of the computer account would be good. Some sort of MAC address allowed list sounds plausible, but will probably not work for us.

Maybe EAP (or PEAP or whatever) would be good for this?

Let me know if anyone has found a good solution for this. Basically we have a Windows 2000 domain and don't want someone to be able to plug in their home laptop at work and surf the net.

 

[Tsaico]

Well, here is one way you can do it. Assuming you have control over your DHCP server. You can make your pool of available IP's the exact number of devices you have. Then most routers, even the cheap home ones, you can allow NAT for a specific IP range and deny the others. That would more or less stop anyone from hopping onto the Net. It is both easy to do, and requires little adjustment.

Then I would make reservations for all your IP devices in the DHCP reservations lists. (or even make the reservation time very long I suppose, but that can cause other issues)

However, as far as security is concerned, it is still crap. The does not prevent someone from still getting onto your network and being able to transfer information off or out. It just makes it inconvenient. It sounds to me like you are trying to solve an HR issue with an IT solution. Good luck.

 

[cmetz]

Brazen, use managed switches and do this at the switch level. You also probably don't want non-company laptops talking on your LAN. Look at 802.1x and other MAC/RADIUS port access controls.

 

[yukichigai]

I had the same fear here at work, so here's what I did. First I configured the Internet Gateway -- the router managing the internet connection -- to block all internet access to a set range of IPs. (192.168.x.50 to 192.168.x.100) I then configured the DHCP server (a Win2k machine) to only automatically assign IP addresses to that range. Finally I went through and made a list of every computer that needed internet access, then specified address reservations for each of those computers' MAC addresses that was outside that range. (starting at 192.168.x.11 and going up) Windows Server's DHCP server lets you do this. Now when any new computer connects to the network it's automatically assigned an IP address that has no internet access, but I can remove that block simply by adding a new address reservation.

Also, as a failsafe I set up a proxy on a computer outside the access block using LanSuite 602. There's a free version for up to 5 users, if you're interested. Very cool software.

 

[Brazen]

Tsaico > No, it's not an HR issue, it's an IT security issue.

I'm probably going to check out the 802.1x (that's EAP isn't it?) and RADIUS. Although does that mean that EVERY switch has to be managed? Or just our central switch (that every computer has to go through to connect to our servers or the internet)? We have almost all Dell switches, but there are some older, cheapo switches in various locations.

 

[MrControversial]

Originally posted by: Tsaico
It sounds to me like you are trying to solve an HR issue with an IT solution. Good luck.

Exactly. I mean, who can just walk into your place and plug in a computer without you knowing? That's not an IT issue at all. Is there anyway someone could get onto the network without your permission (i.e. a college campus)?

 

[spidey07]

It's a very common problem today. People/vendors/consultants just plugging in and wreaking havoc with worms/viruses/tunneling through a firewall etc.

Normally this is stopped with 802.1x as mentioned. It brings the same kind of security that wireless has to the wired world. You must authenticate before you can communicate with anything.

 

[networkman]

It might help to know what the size of your company is - as the solutions provided might be more applicable to smaller/large environments as appropriate.

 

[Brazen]

Originally posted by: spidey07
It's a very common problem today. People/vendors/consultants just plugging in and wreaking havoc with worms/viruses/tunneling through a firewall etc.

Normally this is stopped with 802.1x as mentioned. It brings the same kind of security that wireless has to the wired world. You must authenticate before you can communicate with anything.

Sweet sounds like that will be the right place to start.

Originally posted by: networkman
It might help to know what the size of your company is - as the solutions provided might be more applicable to smaller/large environments as appropriate.

300 computers, about 400 users, in 8 locations, all of which connect back to my office through leased lines.

 

[spidey07]

Cisco also has a box solution called "clean access", its from their acquisition of Perfigo.

Works pretty well and isn't as difficult as a full blown 802.1x implementation.

 

[Tsaico]

Ouch! OK, ok, ok, sorry! The previous listed suggestion I had, was only to block someone from getting internet. From your origional question it sounded like that was your primary concern, not the overall integrity of your network.

But all the switches would have to be managed. You can block traffic to specific ports, and also control what macs are attatched to what ports. IE, so even a previously accepted machine won't work if they physically move it to another. Unfortuanley if your central backbone is managed but there are other switches daisy chained out from there, you lose managability at that particular port. (IE you can block the internet traffic to that entire segment, but not to specific machines in that segment.) So it may still work depending on your layout.

 

[blemoine]

we use an ipcop firewall in transparent mode. it is setup with active directory authentication so in order to browse the internet you have to authenticate with the IPCOP box. no authentication no internet. you can aloow or disallow groups and users. it works very well and its free

 

[MrControversial]

Originally posted by: spidey07
It's a very common problem today. People/vendors/consultants just plugging in and wreaking havoc with worms/viruses/tunneling through a firewall etc.

Normally this is stopped with 802.1x as mentioned. It brings the same kind of security that wireless has to the wired world. You must authenticate before you can communicate with anything.

I see this as a real issue with wireless connections because of the nature of the medium. For example we have a college dorm next to our facility and there's a real chance that they could leech off our connection. However, with WEP and MAC registering, it's easier to prevent unauthorized access to your resources. However, I just have a hard time fathoming someone just waltzing in and jacking in to our network without me knowing. First of all, they have to get a security badge from the admin department and then they have to wait for me or someone else to give them permission to get the job done.

As a theoretical exercise, I think this topic is appropriate for some environments, but in most it's just a matter of ammending your company's standard operating procedures. No one should be in the building unless you know who they are and what they're doing.

 

[Brazen]

Originally posted by: MrControversial

Originally posted by: spidey07
It's a very common problem today. People/vendors/consultants just plugging in and wreaking havoc with worms/viruses/tunneling through a firewall etc.

Normally this is stopped with 802.1x as mentioned. It brings the same kind of security that wireless has to the wired world. You must authenticate before you can communicate with anything.

I see this as a real issue with wireless connections because of the nature of the medium. For example we have a college dorm next to our facility and there's a real chance that they could leech off our connection. However, with WEP and MAC registering, it's easier to prevent unauthorized access to your resources. However, I just have a hard time fathoming someone just waltzing in and jacking in to our network without me knowing. First of all, they have to get a security badge from the admin department and then they have to wait for me or someone else to give them permission to get the job done.

As a theoretical exercise, I think this topic is appropriate for some environments, but in most it's just a matter of ammending your company's standard operating procedures. No one should be in the building unless you know who they are and what they're doing.

Our situation is quite different. We have several sites, but are small enough that security (in the physical realm) is virtually non-existant. However, my concern is not so much outsiders, as an employee bringing in a laptop from home and plugging it in.

 

[Brazen]

Originally posted by: blemoine
we use an ipcop firewall in transparent mode. it is setup with active directory authentication so in order to browse the internet you have to authenticate with the IPCOP box. no authentication no internet. you can aloow or disallow groups and users. it works very well and its free

When I first posted, this is exactly what I was thinking I wanted, but then, anyone with a domain account can plug in a laptop from home and still access the internet from a non-company computer. Or, can ipcop require authentication of the computer account, as opposed to user account?

 

[nweaver]

802.1x with machine certs. You can also require use of something like Cisco's trust agent to ensure configs aren't changed

 

[Brazen]

Is there anyway to do this without requiring special switches? Maybe have all computers use an ssl cert and the gateway (and other machines) will not respond unless traffic is signed with that cert?

And I still don't understand how/if this will work if we have managed switches, but not all managed switches.

 

[Boscoh]

You could put up a proxy server and configure your firewall to only allow the proxy server to access the Internet. Then force machine and user authentication for users on the proxy server (depending on the capabilities of the proxy).

But if you want to deny access to the internal network (which you should), you'll need managed switches. Your two options there are really port-based MAC-address security (which acts like the MAC filter on wireless, except for each port on a switch), or 802.1x. Either way, you'll need managed switches for that.

 

[bruceb]

There are products out there (software based) that you install on your Server which requires the User to end a Security Code
Before they will be Allowed Access to the Application they are trying to use ... you could set it up so they need this Before
they can Access Anything on the Network except the Security program .. we had this at Verizon to insure a secure login
to certain apps & also if you logged in fom home ... unfortunately, I forgot what they called it ... the symbols looks like
a lock cylinder

 

[Brazen]

I'm thinking I may be able to use IPSEC to do this going by an article I found. Anyway I started a thread asking about IPSEC here. But, I have another question about EAP-TLS... What do you do about printers? Is it possible for a printer, such as HP 5si or 8100, to authenticate through EAP-TLS?