How to protect a network from unwanted devices?

ugin · ‎07-31-2009

Hi!

The problem is that I work in an IT-company and there are many creative technical people who like to plug different unwanted things (e.g. personal notebooks, wi-fi APs etc.) into computer jacks. Is it neccessary to explain how a wi-fi AP attached to corporate network instead of a legal laptop breaks up the security? I guess the answer is no.

So I'm trying to find a way to restrict access of unwanted devices to the network. First of all I'm looking at 802.1x catalysts capapability. And I look for a possibilty to have some kind of certificates, by which the computers can be authenticated via 802.1x. The certificates, that cannot be copied from one computer to another or else. So the certificate must be somehow attached to computer configuration or maybe in some other way be unique.

Does anybody know a suitable solution?

Thanks!

ttran · ‎07-31-2009

If the network jack is not in used then you can shutdown on the switch port. If the network jack is live with company PC then you can set up the port security with sticky MAC. Problem with sticky MAC that when the PC is moved or replaces with new PC then you have to remove the port security with the old sticky MAC and re-apply the command. You do not need to put in the MAC address, the switch port will reconize the MAC address and record on the switchport when show run int gx/x.

Hope this help.

T

ugin · ‎07-31-2009

Hi!

I certainly know about port-security feature. But the fact is that on many modern NICs it's worth nothing to change a MAC. If a user knows his legal corporate PC's MAC, he brings his notebook, goes to Device Manager -> Network Adapters and voi-la!

So I'm looking for a solution that could protect my network from faked MACs.

Collin Clark · ‎07-31-2009

Exactly what you've stated. 802.1x with certificates pushed out via group policy. We use Microsoft Certificate Services for the CA. Almost all IOS based switches have 802.1x capabilities, but if you have a specific model, let us know and we can double check it for you.

Hope that helps.

ugin · ‎07-31-2009

Hi Collin!

Thanks for your answer! Our swithes are 2960, they seem to support dot1x. But my question is mostly about certificates concept. Could you, please, give me some urls for I could read about those certificates?

For me the most interesting qustion is to have a certificate protected from copying. So that a user just couldn't copy this cert from a legal workstation to his notebook and gain access to network from that notebook.

a.moreck · ‎07-31-2009

Collin,

I am trying to do exactly what you described, 802.1x on the switch port and certificate autoenrollment using group policy.

My PCs get certificates when IT department sets them up so computer authentication works great. However, when a user logs into a PC for the first time they dont have a certificate on that PC yet.

The issue i am having is after the user logs in windows does a re-auth using the user certificate and fails (no certificate). The switch port goes to unauth and the user certificate autoenrollment fails.

If the user has a certificate on that PC already the all works as expected.

Collin Clark · ‎08-03-2009

I talked to our cert guy and he said we only use machine certs and typically there is no reason to use user certs (I have to assume you have a reason for them though).