Solved

Laptops LAN security...

Posted on 2004-08-06
10
265 Views
Last Modified: 2010-04-11
I have a few ideas of my own, but I want to ask anyways...
I have an environment with quite a few laptops that come and go. I am sure you all know the implications of that on the LAN. Currently I have managed anti-virus and ecora patch manager watching over them as they come and go. Some of the users are wise and can turn on and off XP's built in firewall, but not all of them. All my server are buttoned up nice, so they shouldnt get infected if one of the laptops do. Is there anything else I can do? Any ideas? Should I VLAN the laptops perhaps?

Thanks in advance!
0
Comment
Question by:cbtech
10 Comments
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
I'd setup a seperate LAN segment, protected by a firewall from your other LAN, then your "come and go" laptops can infect themselfs only (-: if your firewall is setup proper;-)
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
A DMZ as described above is very good- Users should be segmented from the rest of your lan... if a seperate firewall isn't possible, you could try an ACL on your routers or firewalls to keep the user's lan's off of the production servers. A vlan could do this, if you are able to configure your switch trunks to disallow the user vlan to the production switch(s)

Laptop user's don't necessarily get infected because their firewall wasn't running, as we've recently discovered... they will execute Zip file attachments also (mydoom.m)- the files look like they came from someone they knew... and boom, they bring that crap to work with them, or they VPN in, and it get's in through there. All you can really do, is keep up on patches, schedule daily AV updates and scans, and try to teach them what is good and what is bad about attachments.

We also use Snort IDS to find other undesirable activities on the lan... lot's of work, but very nice.
-rich
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
> .. IDS .. lot's of work, but very nice.
.. to know when something *had* happend ;-)
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Should I VLAN the laptops?
Absolutely! Also check out Microsoft's Quarantine server (Windows 2003)
0
 

Expert Comment

by:TheBlackFire
Comment Utility
You should surely put the laptops in a DMZ, behind a firewall and an IDS (go for snort). Also be sure to have the laptop originating offending traffic be dropped from the net!

AND enforce a strong policy about WLAN: there are so many wireless nic nowadays..

If you REALLY have to enhance security, here is a nice trick I once used in an High secure environment: use VNC (or terminal services or whatever you like the most): sort of a "human handled" bridged network... it may sound silly, but it just works.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 7

Expert Comment

by:scdavis
Comment Utility
If one of your "come and go" laptops does get infected -- chances are it's going to start spewing a lot of SMTP traffic.

If you're not up to customizing a full-on Snort installation, ensure that laptops in the "DMZ"  are not allowed to send unrestricted SMTP..  

I hate CA, but their eTrust IDS product is easily useable for most "windows" admins..  if you're like me -- can throw FBSD boxes around enough to do DNS/qmail/apache -- but would find Snort more than just a little bit "challenging.."  it's a simple, relatively cheap product that'll give you some insight into what traffic is flying across that etherial network..


Personally, I think all desktops all client workstations should be considered "suspect".  The DMZ sounds nice -- but I question if it is (A) practical and/or (B) realistic..  

Any DMZ populated with MS clients is going to need so many holes punched open that I really question the value of implementing such a scheme.  It sounds nice - and the VP of IT might get some wood on when you pitch the idea to him, but really..?  Your Win-Servers are so much better patched than your desktops?  This I really doubt.


No offense -- I know from my days of maintaining nearly 50 Win servers (for ~800 client machines) that a portion of the servers get patched last..  (no, no..  we can't take the "XYZ" system down today..  it's "ABC123" excuse..)


-- Scott.


0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
scdavis, probably I misunderstood your comment
but the prvious sugestions have been a unique DMZ just for the "come and go" ones
And again, IDS do not help in this problem, IPS might but ...
0
 
LVL 7

Accepted Solution

by:
scdavis earned 125 total points
Comment Utility
My apologies, ahoffmann.

Let me see if I can make a little more sense.  *grin*

First, to be clear - I am questioning the validity of isolating laptops in a DMZ.

I assume -- since cbtech claims that the Ecora product, etc.. are utilized -- that these "in and out" laptops do not migrate on an hourly or daily basis..   but perhaps quarterly.  These laptops (I assume!) would be included in a Windows Active-Directory domain..   if my assumption is correct, the number of holes that has to be "punched" back to the "internal" network is ..  well, silly.

If my assumptions are incorrect -- then I would agree that putting the "rogue" laptops in an isolated environment is a good thing to do.  Give 'em their 25, 53, 80, 110 and 443 to the outside world -- and a printer or two in the DMZ -- and totally isolate 'em.  


Second,

I think that layering (including post-event reporting), while not a preventative tool, I acknowledge..  is still a valid endeavour.  

I've met many a "windows admin" that isn't aware of the tools (like CA's eTrust IDS)..  that can be deployed easily.  Sure, CA's tool is nowhere as flexible or robust as Snort, but it's good (I think) to make more of the "windows admins" aware of what's going across their etherial network.  

See?  It's an educational tool.  Not a great IDS tool..  but a step in the right direction..



I hope I have explained myself a little better.  I hope cbtech can comment on the validity of my assumption(s)...


Happy Sunday.

-- Scott.

0
 

Author Comment

by:cbtech
Comment Utility
scdavis,

   Your comments are very valid. Putting laptops on the DMZ is a good idea if they move every day. Its a bit of a pain since there are in the AD domain. So I might have ot punch so many holes its not even worth it. I only have a few servers, so I keep them pretty tight with updates. I might just try to vlan them and see what happens and continue with the ecora / etrust management, and educate users as well on the values of safe computing. Any more comments are welcome.

0
 
LVL 7

Expert Comment

by:scdavis
Comment Utility
cbtech,

First:  To the IP oriented "DMZ-YAH" network (CCNA) wonks:  I say - learn to deal with L3 and above before you jump to conclusions.  IP based networking, regardless of APP requirements is just stupid..     (HAH, I think that'll gen some comments..)


CBTech:

VLAN?  I don't understand what you think that'll do for ya.  I suggest it'll do nothing.

Ecora is an *AWESOME* change management suite of tools.  I have not used their patch management product..  but I doubt it's a magic wand that'll let you sit back and do "nothing"..

ETrust?  What app are you running?  It's a whole suite, ya know?  If you're using their anti-virus, I suggest you get rid of it asap.  My experiences with it -- although admittedly limited (20 pcs/2-3 servers, approx..)  have been all bad, generally..  

Norton is half-ass.  McAfee costs, but is better...



Focus on:

1)  MAKE SURE THEY'RE PATCHED.
2)  MAKE SURE A/V is UP TO DATE.
3)  MAKE SURE ALL DATA IS BACKED UP.


Give #3 first priority.  Test, re-test and ensure you can restore..  Firedrills -- meaning ..  that you ACTUALLY RESTORE from the tapes ..  is critical.


Enough ranting.  Hope that helps ya.

-- Scott..
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now