Solved

Laptops LAN security...

Posted on 2004-08-06
10
275 Views
Last Modified: 2010-04-11
I have a few ideas of my own, but I want to ask anyways...
I have an environment with quite a few laptops that come and go. I am sure you all know the implications of that on the LAN. Currently I have managed anti-virus and ecora patch manager watching over them as they come and go. Some of the users are wise and can turn on and off XP's built in firewall, but not all of them. All my server are buttoned up nice, so they shouldnt get infected if one of the laptops do. Is there anything else I can do? Any ideas? Should I VLAN the laptops perhaps?

Thanks in advance!
0
Comment
Question by:cbtech
10 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11739577
I'd setup a seperate LAN segment, protected by a firewall from your other LAN, then your "come and go" laptops can infect themselfs only (-: if your firewall is setup proper;-)
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 11741374
A DMZ as described above is very good- Users should be segmented from the rest of your lan... if a seperate firewall isn't possible, you could try an ACL on your routers or firewalls to keep the user's lan's off of the production servers. A vlan could do this, if you are able to configure your switch trunks to disallow the user vlan to the production switch(s)

Laptop user's don't necessarily get infected because their firewall wasn't running, as we've recently discovered... they will execute Zip file attachments also (mydoom.m)- the files look like they came from someone they knew... and boom, they bring that crap to work with them, or they VPN in, and it get's in through there. All you can really do, is keep up on patches, schedule daily AV updates and scans, and try to teach them what is good and what is bad about attachments.

We also use Snort IDS to find other undesirable activities on the lan... lot's of work, but very nice.
-rich
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11741984
> .. IDS .. lot's of work, but very nice.
.. to know when something *had* happend ;-)
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 79

Expert Comment

by:lrmoore
ID: 11742352
Should I VLAN the laptops?
Absolutely! Also check out Microsoft's Quarantine server (Windows 2003)
0
 

Expert Comment

by:TheBlackFire
ID: 11743424
You should surely put the laptops in a DMZ, behind a firewall and an IDS (go for snort). Also be sure to have the laptop originating offending traffic be dropped from the net!

AND enforce a strong policy about WLAN: there are so many wireless nic nowadays..

If you REALLY have to enhance security, here is a nice trick I once used in an High secure environment: use VNC (or terminal services or whatever you like the most): sort of a "human handled" bridged network... it may sound silly, but it just works.
0
 
LVL 7

Expert Comment

by:scdavis
ID: 11746105
If one of your "come and go" laptops does get infected -- chances are it's going to start spewing a lot of SMTP traffic.

If you're not up to customizing a full-on Snort installation, ensure that laptops in the "DMZ"  are not allowed to send unrestricted SMTP..  

I hate CA, but their eTrust IDS product is easily useable for most "windows" admins..  if you're like me -- can throw FBSD boxes around enough to do DNS/qmail/apache -- but would find Snort more than just a little bit "challenging.."  it's a simple, relatively cheap product that'll give you some insight into what traffic is flying across that etherial network..


Personally, I think all desktops all client workstations should be considered "suspect".  The DMZ sounds nice -- but I question if it is (A) practical and/or (B) realistic..  

Any DMZ populated with MS clients is going to need so many holes punched open that I really question the value of implementing such a scheme.  It sounds nice - and the VP of IT might get some wood on when you pitch the idea to him, but really..?  Your Win-Servers are so much better patched than your desktops?  This I really doubt.


No offense -- I know from my days of maintaining nearly 50 Win servers (for ~800 client machines) that a portion of the servers get patched last..  (no, no..  we can't take the "XYZ" system down today..  it's "ABC123" excuse..)


-- Scott.


0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11746211
scdavis, probably I misunderstood your comment
but the prvious sugestions have been a unique DMZ just for the "come and go" ones
And again, IDS do not help in this problem, IPS might but ...
0
 
LVL 7

Accepted Solution

by:
scdavis earned 125 total points
ID: 11746277
My apologies, ahoffmann.

Let me see if I can make a little more sense.  *grin*

First, to be clear - I am questioning the validity of isolating laptops in a DMZ.

I assume -- since cbtech claims that the Ecora product, etc.. are utilized -- that these "in and out" laptops do not migrate on an hourly or daily basis..   but perhaps quarterly.  These laptops (I assume!) would be included in a Windows Active-Directory domain..   if my assumption is correct, the number of holes that has to be "punched" back to the "internal" network is ..  well, silly.

If my assumptions are incorrect -- then I would agree that putting the "rogue" laptops in an isolated environment is a good thing to do.  Give 'em their 25, 53, 80, 110 and 443 to the outside world -- and a printer or two in the DMZ -- and totally isolate 'em.  


Second,

I think that layering (including post-event reporting), while not a preventative tool, I acknowledge..  is still a valid endeavour.  

I've met many a "windows admin" that isn't aware of the tools (like CA's eTrust IDS)..  that can be deployed easily.  Sure, CA's tool is nowhere as flexible or robust as Snort, but it's good (I think) to make more of the "windows admins" aware of what's going across their etherial network.  

See?  It's an educational tool.  Not a great IDS tool..  but a step in the right direction..



I hope I have explained myself a little better.  I hope cbtech can comment on the validity of my assumption(s)...


Happy Sunday.

-- Scott.

0
 

Author Comment

by:cbtech
ID: 11752121
scdavis,

   Your comments are very valid. Putting laptops on the DMZ is a good idea if they move every day. Its a bit of a pain since there are in the AD domain. So I might have ot punch so many holes its not even worth it. I only have a few servers, so I keep them pretty tight with updates. I might just try to vlan them and see what happens and continue with the ecora / etrust management, and educate users as well on the values of safe computing. Any more comments are welcome.

0
 
LVL 7

Expert Comment

by:scdavis
ID: 11798717
cbtech,

First:  To the IP oriented "DMZ-YAH" network (CCNA) wonks:  I say - learn to deal with L3 and above before you jump to conclusions.  IP based networking, regardless of APP requirements is just stupid..     (HAH, I think that'll gen some comments..)


CBTech:

VLAN?  I don't understand what you think that'll do for ya.  I suggest it'll do nothing.

Ecora is an *AWESOME* change management suite of tools.  I have not used their patch management product..  but I doubt it's a magic wand that'll let you sit back and do "nothing"..

ETrust?  What app are you running?  It's a whole suite, ya know?  If you're using their anti-virus, I suggest you get rid of it asap.  My experiences with it -- although admittedly limited (20 pcs/2-3 servers, approx..)  have been all bad, generally..  

Norton is half-ass.  McAfee costs, but is better...



Focus on:

1)  MAKE SURE THEY'RE PATCHED.
2)  MAKE SURE A/V is UP TO DATE.
3)  MAKE SURE ALL DATA IS BACKED UP.


Give #3 first priority.  Test, re-test and ensure you can restore..  Firedrills -- meaning ..  that you ACTUALLY RESTORE from the tapes ..  is critical.


Enough ranting.  Hope that helps ya.

-- Scott..
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With healthcare moving into the digital age with things like Healthcare.gov, the digitization of patient records and video conferencing with patients, data has a much greater chance of being exposed than ever before.
Data breaches are on the rise, and companies are preparing by boosting their cybersecurity budgets. According to the Cybersecurity Market Report (http://www.cybersecurityventures.com/cybersecurity-market-report), worldwide spending on cybersecurity …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

823 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question