What is the best way to deal with spam or virus infected hosts in wireless network with personal laptops (like personal students laptops in university)? What polices and tools use your company?
Asked
Active
Viewed 306 times
4 Answers
3
Our University uses Cisco Wireless Control System (Cisco WCS), which has the ability to block clients, among other things.
1
Windows Server 2008's Network Access Protection feature of the Network Policy Server role. It can even integrate with Cisco switches via 802.1x authentication.
You can require certain patches, anti-virus, or firewall settings... properties grouped together under the banner "system health". Network switches that support NAP and pass-through RADIUS authentication can auto-vlan clients into a protected quarantine.
Windows also has built-in IPSec to protect servers from roaming, non-domain clients as well. You can issue a certificate to "healthy" clients and require that certificate in IPSec SA negotiation. This essentially ipfilters your servers to domain-approved clients. You can also do it without certificates and just require valid kerberos (domain) authentication. You can apply these 'authentication' IPSec policies to traffic that originates on your workstation subnets that is destined for your server subnets.
NAP requires XP SP3, Vista, and Server 2008 environment. Doing it slickly also may require higher-end switches and a PKI.
IPSec can be implemented using XP, Vista, and Server 2003. But without health evaluation its more of a 'known machine' vs. 'unknown machine' filter.
Mike Haboustak
- 448
- 4
- 7
-
+1 Could be useful to note that NAP basically only cares about the client's health certificate - which the client itself provides, thus it's not a security measure as it deals with good-behaving clients. IPSec and "domain isolation" however of course is ^^ – Oskar Duveborn May 05 '09 at 20:57
-
The client provides the certificate, but its validity is determined by your own PKI. If they at any point fail a health check the cert is revoked, and we'll hope there's no way to generate one on the client. However, I think that you're pointing out is the risk of having clients who lie about their health to obtain the certificate. – Mike Haboustak May 06 '09 at 01:00
0
Many Wireless Routers and APs support wireless separation, which stops any communication between wireless clients and obviously prevents nasties from spreading, in case your users are not running firewalls.
In fact if you are setting up a small "Hot Spot" with just a Wireless router and a broadband connection and no other hosts then this is pretty much good enough security. If you want to protect your own hosts that's another matter, I'd NAT against the wireless network and only allow HTTP. In a sense clients that come at you from a wireless network where people are using their own unmanaged hardware, even if access is controlled, should pretty much be treated as traffic from the Internet and should be firewalled against with only tried and tested protocols like HTTP being used. I wouldn't use SMB in the scenario for instance.
Christopher Edwards
- 718
- 1
- 8
- 19
-
I like the wireless separation concept, but I think that a significant problem caused by spammers and infected computers is use of bandwidth and the risk of getting blacklisted for an open relay as much as risks to other network hosts. Simple packet inspection at the firewall definitely helps with that once you've locked it down to "required" Internet protocols. – Mike Haboustak May 06 '09 at 00:55
-1
Block their ethernet port as soon as you see problematic activity, take the machine and clean the virus or wipe if necessary, have a "come to Jesus" with them about clicking on email attachments.
Chris Ballance
- 304
- 1
- 7
- 20