4

Just curious: How do people "lock down" their network to prevent unauthorized devices from gaining network access?

Is it different in a DHCP vs. static IP network?

What about Windows AD managed?

Edit: I'm not trying to prevent anything per se. Just curious how a "secure" network should be implemented

Matt Rogish
  • 1,512
  • 6
  • 25
  • 41

9 Answers9

8

Implement 802.1x authentication on your network, and/or disable all your unused switch ports.

DHCP, Static IPs, and AD have very little to do with your security from an outsider trying to gain access.

If you don't want to flat out disable the ports I'd suggest putting all "extra" switch ports in a VLAN that has its own DHCP server and doesn't route to anything else on your network. Then monitor that DHCP server for any leases and track down where people are randomly plugging in. If you really want you could setup a captive portal on that VLAN explaining why they aren't able to browse the internet.

sclarson
  • 3,684
  • 22
  • 20
  • 2
    +1 - Assuming that the threat is "unauthorized devices being attached to the Ethernet", 802.1X is the way to go. Switches that automatically shutdown ports with more than an allowed number of MAC addresses (ala Cisco's "switchport port-security maximum" functionality) help out, too (preventing rogue hubs, switches, and wireless APs from being plugged in, etc). – Evan Anderson Nov 06 '09 at 23:55
3

Secure from what? Locked down to prevent what?

  • What is the proposed threat that you're trying to mitigate against?
  • How much can your theoretical legitimate users be inconvenienced in the aim of security?
  • kinda linked to the previous point) what is the value of the stuff being protected
  • what is the cost / consequences of a breach? Will people die? Will businesses go bankrupt?

I'm not being pedantic by the way, these are just some of the questions you must answer before you can begin locking anything down. The security needed to keep my employer's data safe is different from that needed to keep a bank safe, or to protect sensitive data relating to military deployments, for example.

I can tell you that to prevent users casually connecting to a network whose security I care about to some degree I might implement 802.1x security, but depending on their answers to the questions above I might need to do a lot more than that. Or a bit less.

Rob Moir
  • 31,884
  • 6
  • 58
  • 89
3

Windows Domain Isolation will isolate your windows nodes with IPSEC - preventing access to them from anyone connecting to the network that's not part of the domain.

By also requiring user/personal authentication or simply domain membership to get pass any firewalls - you've further restricted what a plugger-in can do.

There're bound to be vulnerable nodes though - like printers on the printer network, where physical security will still be important for preventing someone from just plugging in.

Simply segmenting the network as much as possible will also help making it more robust.

In combination with 802.1x though you'd get something fairly decent, though 802.1x is sadly not bullet-proof in its wired form.

As usual with security; depth and many layers is the way to go.

Oskar Duveborn
  • 10,760
  • 3
  • 33
  • 48
2

All the DHCP based, MAC based, and IP based access control solutions can be easily defeated by spoofing them, and hence are least effective.

Creating VLANs is cheap method to limit the network access. It has its own limitations and weaknesses.

802.1x authentication is a switch based port control method and will work for small organizations most of the time. It would however fail in cases where a person starts using say a printer switch port, which is generally left open.

In the last few years a new kind of appliances/devices/solutions have come to the market, which implement NAC (Network Access Control), and some of them do use 802.1x. These devices/solutions require a user to authenticate and also limits the access of the users to only resources that are required to do their daily job. A printer would not say get SSH access to a server. Therefore, printer's port is of less value to a user now.

1

AD management has very little to do with preventing network access. It controls who can log into resources, if they're managed by AD, but it won't stop a device from connecting to your network. Neither will using DHCP or static IPs, unless you're also doing filtering based on ethernet MAC addresses.

Can you explain more thoroughly the kind of access you're trying to prevent? This question is pretty broad in scope, and could take years to cover thoroughly. ;)

Graeme
  • 343
  • 1
  • 6
  • I'm not trying to prevent anything per se. Just curious how a "secure" network should be implemented :D – Matt Rogish Nov 06 '09 at 21:41
  • Oh, so you're after general best practices then? You should probably focus a little more specifically, because this is a *very* broad area. ;) – Graeme Nov 06 '09 at 22:23
1

If 802.1x seems like overkill for your situation and you're looking more for a solution that inconveniences people enough so that they don't plug-in hardware all willy-nilly, I like what my colleague did, and which works like a charm. All you need is a network where all devices have static or statically assigned DHCP IP addresses, which may be a good idea anyway, e.g. for long-term consistency in logs.

  1. On all machines, set the ARP cache entries all IP addresses in the local IP network to a specific locally administered MAC address
  2. On the workstations, set the IP addresses of servers and gateways to the real HW addresses [*]
  3. On the servers, set the IP addresses of known workstations to the real HW addresses [*]
  4. On the DHCP service, assign a special range of addresses to unknown hosts
  5. On the gateways, route no traffic from that range, but only redirect all HTTP traffic on the default route to a web server that has a "unregistered machine, blah blah..." page as its default virtual host.

[*] can easily be done with a script against the main config source - we use LDAP for DHCP config and my colleague did it with a simple shell script that parses ldapsearch(1) output, and doing this in a Windows/AD environment shouldn't be harder - IronPython? Powershell?

As I said, this is not rock-hard cryptographic security, but it fulfils two common security needs: 1. Salespeople cannot just stick their laptops into the LAN when they come back, which is a god-send against trojans &c 1. In the same vein, having workstations isolated from each other is golden - no mess of spontaneous CIFS shares, no virus spread...

Bernd Haug
  • 888
  • 5
  • 12
  • 1
    Sounds incredibly painful to administer. What happens when you need to quickly change out a router because of failure? 802.1X sounds a *lot* easier. – Evan Anderson Nov 06 '09 at 23:45
  • 1
    Sounds like there aren't that many devices on the network. Get 5-10k employees all with 1-3 devices in different buildings changing subnets at times throughout the day. Sales people also won't bring many trojans into your network with a proper 1x setup either, and you won't hinder their work by making them jump through hoops when they come back. You can stop workstations from talking to one another and stop CIFS shares with much less hassle. – sclarson Nov 07 '09 at 04:06
  • 802.1x works if you have admin access to switches; by far not always a given. The networking people are not always the same as the sysadmins. You also have to have a fully integrated Windows-only system if you don't want your end-users to have to play around with secrets &c manually... – Bernd Haug Nov 07 '09 at 10:24
  • If you have a disjointed IT staff to the point that your network team won't participate in network security projects to help out the end user device people there are probably more important problems to deal with. – sclarson Nov 09 '09 at 03:26
1

We've looked at all the approaches and basically have settled on the fact that a NAC/NAP solution in combination with a partitioned network is the only one that's going to be sufficient. The other solutions are fraught with issues:

  • DHCP w/ MAC reservations can be foiled by cloning the MAC and then ARP flooding the original off the network or simply unplugging it.
  • There's nothing stopping someone from grabbing a static IP, especially if they unplug something that requires a static IP (like a network printer).
  • Unused ports should be disabled by default, but in a larger environment, inevitably one will be left on accidentally. So access based on keeping ports disabled is bound to have a breach sooner or later.
K. Brian Kelley
  • 9,034
  • 32
  • 33
0

Seeing as your looking at general approaches, if your network is high security you would control physical access to all the ports. This is the only guaranteed way to lock it down.

Of course this has lots of disadvantages when it comes to usability.

  • That doesn't really stop someone from unplugging a device (printer, desktop) and plugging in a personal laptop – Brett G Dec 02 '10 at 16:45
0

At the last company that I worked for, we partitioned the network into several vlans, and used DHCP reservations to limit client connections. The DHCP range was limited to the number of clients on the vlan, and the range needed to be expanded to add more clients.

Since the reservations tied the IP address to a MAC address, the old reservation needed to be deleted to add a different client. Somebody casually unplugging a network cable and plugging in a different pc wouldn't pick up an IP address.

I say casually because this doesn't account for MAC spoofing.

Joe Internet
  • 1,449
  • 8
  • 6