Securing a hardwired network - Options

Unanswered Question
Sep 4th, 2007

I would like some opinions or suggested practices in securing a wired network. In the past I have used Windows and DHCP to issue IP address via assigned mac address. Is there a better option utilizing an already existing 6500 series set of switches?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rtrunk Sun, 09/09/2007 - 16:05

It all depends on what your goal is. Are you trying to prevent people from plugging in unauthorized devices? Preventing snooping or other attacks by people already on your network?

Create an audit train of who is accessing the LAN?

Different security goals require different responses. If you can give some more detail, I can give you a better response.

Ron

jkmusic777 Mon, 09/10/2007 - 06:47

We want to lock all ports so that someone walking in the building, friend or foe, cannot plugin an unknown computer and get any network access, period. We don't want to scan for compliance or anything like that. And by the way...since I originally posted this, we still have no real answers.(existing software, purchasing software or hardware.)It is difficult to believe that we are among a minority. We realize that we can configure Microsoft DHCP for mac addresses, but if someone learns the mac, then they're in. This may be a risk and an option we still have to take, but then again that's why we are looking at options.

acomiskey Mon, 09/10/2007 - 06:58

802.1x port-based authentication sounds like what you want.

jkmusic777 Mon, 09/10/2007 - 07:08

1 - Could the radius server get logon info via a MS domain?

2 - How could this be transparent to existing users...or would they only see a logon screen if they powered off their machine? Reboot process?

rtrunk Mon, 09/10/2007 - 07:13

Yes, the Cisco ACS (running radius) can query an AD server or LDAP server for user credentials.

rtrunk Mon, 09/10/2007 - 07:22

On Win2K, XP (and probably Vista) it will be transparent to the user.

Ron

m.volodko Mon, 09/10/2007 - 23:38

Yes. Completely transparent.

Windows support this, afair, from 2000 with some SP. Check availability of windows service named: "Wireless Zero Configuration" responsible for this.

m.volodko Mon, 09/10/2007 - 23:32

Just to clarify. Actually if you want run only dot1x (without NAC) internal radius windows server (IAS) will be enough for this.

rtrunk Mon, 09/10/2007 - 07:08

First let me say that your current method is hardly any protection at all. It would be easy to spoof a mac address, or even easier, just configure a static address in your DHCP range. You are only keeping out the boy scouts and little old ladies.

My first thought is to use 802.1x. It will require every user to authenticate before the get access to the network. But it is a bit of work to get it working. I don't know the size of your network, but you may need one or more ACS servers. Then you have to deal with the problem of devices that can't authenticate -- printers and such. A bad guy could unplug a printer and plug in his computer. Also 802.1x is still a work-in-progress, IMO.

Cisco NAC will eventually have 802.1x integrated into it, but that is still in the future

None of these problems is insurmountable, but it is not a one day project either.

I have clients who simply shut down all unused ports, or put them in a unused and unroutable VLAN. When someone needs access, they turn the port back on. In a large organization, of course, that is a problem too.

acomiskey Mon, 09/10/2007 - 07:17

One solution to the printer problem is to use Mac Authentication Bypass, you just need a switch that supports it. What it does it take the mac address of the connecting device and passes it in all lowercase as the username and password. You just have to create accounts for these devices.

rtrunk Mon, 09/10/2007 - 07:26

A better solution than simply trusting the port, but it wouldn't be that hard to gather the mac address of the printer, either.

Ron

jafrazie Mon, 09/10/2007 - 07:31

Completely agreed. It wouldn't be that hard. There are wired printers that can do 802.1X ;-).

It's kind of like what happens when someone shows up at work without their badge, and all the trade-offs, management issues, etc. that are presented with this.

jkmusic777 Mon, 09/10/2007 - 07:32

Part 2??

2 - How could this be transparent to existing users...or would they only see a logon screen if they powered off their machine? Reboot process?

jafrazie Mon, 09/10/2007 - 09:41

Depends on the implementation, but user transparency is a typical design goal. Others would like to enforce pop-ups, etc.

Depends on things like EAP-type, backend-db support, directory infrastructure needs, etc.

Another thing to remember is things like 802.1X is roughly the dial-up networking model. It's just over an IEEE 802 media now instead of just PPP ;-).

rtrunk Mon, 09/10/2007 - 07:37

They would only see the normal Windows logon screen.

Actions

This Discussion