09-04-2007 07:49 AM - edited 03-10-2019 01:36 PM
I would like some opinions or suggested practices in securing a wired network. In the past I have used Windows and DHCP to issue IP address via assigned mac address. Is there a better option utilizing an already existing 6500 series set of switches?
09-04-2007 09:07 AM
there are lots of layer 2 attack mitigation techniques..this will give you a good start:
http://www.cisco.com/web/CA/events/pdfs/L2-security-Bootcamp-final.pdf
also, refer to the proper OS documentation for your 6500's.
09-09-2007 04:05 PM
It all depends on what your goal is. Are you trying to prevent people from plugging in unauthorized devices? Preventing snooping or other attacks by people already on your network?
Create an audit train of who is accessing the LAN?
Different security goals require different responses. If you can give some more detail, I can give you a better response.
Ron
09-10-2007 06:47 AM
We want to lock all ports so that someone walking in the building, friend or foe, cannot plugin an unknown computer and get any network access, period. We don't want to scan for compliance or anything like that. And by the way...since I originally posted this, we still have no real answers.(existing software, purchasing software or hardware.)It is difficult to believe that we are among a minority. We realize that we can configure Microsoft DHCP for mac addresses, but if someone learns the mac, then they're in. This may be a risk and an option we still have to take, but then again that's why we are looking at options.
09-10-2007 06:58 AM
802.1x port-based authentication sounds like what you want.
09-10-2007 07:08 AM
1 - Could the radius server get logon info via a MS domain?
2 - How could this be transparent to existing users...or would they only see a logon screen if they powered off their machine? Reboot process?
09-10-2007 07:13 AM
Yes, the Cisco ACS (running radius) can query an AD server or LDAP server for user credentials.
09-10-2007 07:14 AM
And part 2?
09-10-2007 07:22 AM
On Win2K, XP (and probably Vista) it will be transparent to the user.
Ron
09-10-2007 11:38 PM
Yes. Completely transparent.
Windows support this, afair, from 2000 with some SP. Check availability of windows service named: "Wireless Zero Configuration" responsible for this.
09-10-2007 11:32 PM
Just to clarify. Actually if you want run only dot1x (without NAC) internal radius windows server (IAS) will be enough for this.
09-10-2007 07:08 AM
First let me say that your current method is hardly any protection at all. It would be easy to spoof a mac address, or even easier, just configure a static address in your DHCP range. You are only keeping out the boy scouts and little old ladies.
My first thought is to use 802.1x. It will require every user to authenticate before the get access to the network. But it is a bit of work to get it working. I don't know the size of your network, but you may need one or more ACS servers. Then you have to deal with the problem of devices that can't authenticate -- printers and such. A bad guy could unplug a printer and plug in his computer. Also 802.1x is still a work-in-progress, IMO.
Cisco NAC will eventually have 802.1x integrated into it, but that is still in the future
None of these problems is insurmountable, but it is not a one day project either.
I have clients who simply shut down all unused ports, or put them in a unused and unroutable VLAN. When someone needs access, they turn the port back on. In a large organization, of course, that is a problem too.
09-10-2007 07:17 AM
One solution to the printer problem is to use Mac Authentication Bypass, you just need a switch that supports it. What it does it take the mac address of the connecting device and passes it in all lowercase as the username and password. You just have to create accounts for these devices.
09-10-2007 07:26 AM
A better solution than simply trusting the port, but it wouldn't be that hard to gather the mac address of the printer, either.
Ron
09-10-2007 07:29 AM
this is true...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: