Just curious: How do people "lock down" their network to prevent unauthorized devices from gaining network access?
Is it different in a DHCP vs. static IP network?
What about Windows AD managed?
Edit: I'm not trying to prevent anything per se. Just curious how a "secure" network should be implemented
Implement 802.1x authentication on your network, and/or disable all your unused switch ports.
DHCP, Static IPs, and AD have very little to do with your security from an outsider trying to gain access.
If you don't want to flat out disable the ports I'd suggest putting all "extra" switch ports in a VLAN that has its own DHCP server and doesn't route to anything else on your network. Then monitor that DHCP server for any leases and track down where people are randomly plugging in. If you really want you could setup a captive portal on that VLAN explaining why they aren't able to browse the internet.
Secure from what? Locked down to prevent what?
I'm not being pedantic by the way, these are just some of the questions you must answer before you can begin locking anything down. The security needed to keep my employer's data safe is different from that needed to keep a bank safe, or to protect sensitive data relating to military deployments, for example.
I can tell you that to prevent users casually connecting to a network whose security I care about to some degree I might implement 802.1x security, but depending on their answers to the questions above I might need to do a lot more than that. Or a bit less.
Windows Domain Isolation will isolate your windows nodes with IPSEC - preventing access to them from anyone connecting to the network that's not part of the domain.
By also requiring user/personal authentication or simply domain membership to get pass any firewalls - you've further restricted what a plugger-in can do.
There're bound to be vulnerable nodes though - like printers on the printer network, where physical security will still be important for preventing someone from just plugging in.
Simply segmenting the network as much as possible will also help making it more robust.
In combination with 802.1x though you'd get something fairly decent, though 802.1x is sadly not bullet-proof in its wired form.
As usual with security; depth and many layers is the way to go.
All the DHCP based, MAC based, and IP based access control solutions can be easily defeated by spoofing them, and hence are least effective.
Creating VLANs is cheap method to limit the network access. It has its own limitations and weaknesses.
802.1x authentication is a switch based port control method and will work for small organizations most of the time. It would however fail in cases where a person starts using say a printer switch port, which is generally left open.
In the last few years a new kind of appliances/devices/solutions have come to the market, which implement NAC (Network Access Control), and some of them do use 802.1x. These devices/solutions require a user to authenticate and also limits the access of the users to only resources that are required to do their daily job. A printer would not say get SSH access to a server. Therefore, printer's port is of less value to a user now.
AD management has very little to do with preventing network access. It controls who can log into resources, if they're managed by AD, but it won't stop a device from connecting to your network. Neither will using DHCP or static IPs, unless you're also doing filtering based on ethernet MAC addresses.
Can you explain more thoroughly the kind of access you're trying to prevent? This question is pretty broad in scope, and could take years to cover thoroughly. ;)
If 802.1x seems like overkill for your situation and you're looking more for a solution that inconveniences people enough so that they don't plug-in hardware all willy-nilly, I like what my colleague did, and which works like a charm. All you need is a network where all devices have static or statically assigned DHCP IP addresses, which may be a good idea anyway, e.g. for long-term consistency in logs.
[*] can easily be done with a script against the main config source - we use LDAP for DHCP config and my colleague did it with a simple shell script that parses ldapsearch(1) output, and doing this in a Windows/AD environment shouldn't be harder - IronPython? Powershell?
As I said, this is not rock-hard cryptographic security, but it fulfils two common security needs: 1. Salespeople cannot just stick their laptops into the LAN when they come back, which is a god-send against trojans &c 1. In the same vein, having workstations isolated from each other is golden - no mess of spontaneous CIFS shares, no virus spread...
We've looked at all the approaches and basically have settled on the fact that a NAC/NAP solution in combination with a partitioned network is the only one that's going to be sufficient. The other solutions are fraught with issues:
Seeing as your looking at general approaches, if your network is high security you would control physical access to all the ports. This is the only guaranteed way to lock it down.
Of course this has lots of disadvantages when it comes to usability.
At the last company that I worked for, we partitioned the network into several vlans, and used DHCP reservations to limit client connections. The DHCP range was limited to the number of clients on the vlan, and the range needed to be expanded to add more clients.
Since the reservations tied the IP address to a MAC address, the old reservation needed to be deleted to add a different client. Somebody casually unplugging a network cable and plugging in a different pc wouldn't pick up an IP address.
I say casually because this doesn't account for MAC spoofing.
