cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1228
Views
0
Helpful
20
Replies

Securing a hardwired network - Options

jkmusic777
Level 1
Level 1

I would like some opinions or suggested practices in securing a wired network. In the past I have used Windows and DHCP to issue IP address via assigned mac address. Is there a better option utilizing an already existing 6500 series set of switches?

20 Replies 20

srue
Level 7
Level 7

there are lots of layer 2 attack mitigation techniques..this will give you a good start:

http://www.cisco.com/web/CA/events/pdfs/L2-security-Bootcamp-final.pdf

also, refer to the proper OS documentation for your 6500's.

rtrunk
Level 1
Level 1

It all depends on what your goal is. Are you trying to prevent people from plugging in unauthorized devices? Preventing snooping or other attacks by people already on your network?

Create an audit train of who is accessing the LAN?

Different security goals require different responses. If you can give some more detail, I can give you a better response.

Ron

We want to lock all ports so that someone walking in the building, friend or foe, cannot plugin an unknown computer and get any network access, period. We don't want to scan for compliance or anything like that. And by the way...since I originally posted this, we still have no real answers.(existing software, purchasing software or hardware.)It is difficult to believe that we are among a minority. We realize that we can configure Microsoft DHCP for mac addresses, but if someone learns the mac, then they're in. This may be a risk and an option we still have to take, but then again that's why we are looking at options.

802.1x port-based authentication sounds like what you want.

1 - Could the radius server get logon info via a MS domain?

2 - How could this be transparent to existing users...or would they only see a logon screen if they powered off their machine? Reboot process?

Yes, the Cisco ACS (running radius) can query an AD server or LDAP server for user credentials.

And part 2?

On Win2K, XP (and probably Vista) it will be transparent to the user.

Ron

Yes. Completely transparent.

Windows support this, afair, from 2000 with some SP. Check availability of windows service named: "Wireless Zero Configuration" responsible for this.

Just to clarify. Actually if you want run only dot1x (without NAC) internal radius windows server (IAS) will be enough for this.

First let me say that your current method is hardly any protection at all. It would be easy to spoof a mac address, or even easier, just configure a static address in your DHCP range. You are only keeping out the boy scouts and little old ladies.

My first thought is to use 802.1x. It will require every user to authenticate before the get access to the network. But it is a bit of work to get it working. I don't know the size of your network, but you may need one or more ACS servers. Then you have to deal with the problem of devices that can't authenticate -- printers and such. A bad guy could unplug a printer and plug in his computer. Also 802.1x is still a work-in-progress, IMO.

Cisco NAC will eventually have 802.1x integrated into it, but that is still in the future

None of these problems is insurmountable, but it is not a one day project either.

I have clients who simply shut down all unused ports, or put them in a unused and unroutable VLAN. When someone needs access, they turn the port back on. In a large organization, of course, that is a problem too.

One solution to the printer problem is to use Mac Authentication Bypass, you just need a switch that supports it. What it does it take the mac address of the connecting device and passes it in all lowercase as the username and password. You just have to create accounts for these devices.

A better solution than simply trusting the port, but it wouldn't be that hard to gather the mac address of the printer, either.

Ron

this is true...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: