Solved

Restrict Web access @ Switch? (3Com 4400's)

Posted on 2004-08-17
9
258 Views
Last Modified: 2010-04-11
Hello

  Is there a way that I can restrict (at the physical port) access to the internet on 3Com 4400 switches?

  For instance, physical network has about 100 ethernet ports available, with only about half of them actually connected to anything. I have been able to restrict web access at the router for a group of machines that have no legitimate need to surf the web. (Those machines are setup with static IP's; most of the rest of the network which is DHCP.) However, if someone brings in a laptop from home, all they need to do is plug in to one of the existing ethernet jacks, and they will be given an IP address from the DHCP server, and then they are free to do as they please.

  I know I can disable the unused ports all together, but can I in some way just restrict outgoing http:80 traffic?
0
Comment
Question by:TunaMaxx
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 6

Expert Comment

by:microbolt
ID: 11826406
How do you users currently get internet access?  ISA Server?   Nat Router?  If its a router then what type of router do you have.
0
 

Author Comment

by:TunaMaxx
ID: 11826439
Nat via Cisco 806.

Most of the group of static IP's are deny'd by an access-list, but the DHCP addresses are not.
0
 
LVL 6

Expert Comment

by:microbolt
ID: 11826456
On your access list you can add the IP address that you wish to have access to the internet instead of adding all of the ones you dont want to have internet.  This way if you have a new machine on the network it won't have internet access unless you explictly allow it.  If you need help with access lists if you post your config I can give you some examples.
0
 
LVL 8

Expert Comment

by:cooljai1
ID: 11826785
What about restricting the DHCP range available to the actual number of clients attached ? ie, if you connect only 50 legitimate systems, set the DHCP range so that only 50 IPs are available and if someone connects a laptop, the DHCP would not assign Ip addresses. Also you can try locking the IP using MAC address so that any foregin machine would be denied IP
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 6

Expert Comment

by:microbolt
ID: 11826922
cooljai1,

That would be a nightmare to adminsitrate.  Say someone turned off thier PC for 2 weeks because they were on vacation.  While that person was gone thier lease expired on thier IP.  Then Joe Blow with their laptop comes in and gets the IP that just expired.  When the other guy comes back from vacation then he can no longer access the network.

Also just limiting DHCP address would still not solve the issue even if implemted because Joe Blow could still statically assign his machine with an IP and access then internet.

Microbolt
0
 

Author Comment

by:TunaMaxx
ID: 11826967
Thanks for the comments, but is there no way (short of disabling the unused ports completely) to restrict access via the switch's configuration?

One of the main selling features of this hardware was the 'port by port control' and 'advanced configuration' available. (Those are the sales person's words, not 3Com's.) When we bought the hardware, I knew considerably less than what I do now (which isn't saying much!) but it seemed like this was an easy thing to do? Maybe not...
0
 
LVL 8

Expert Comment

by:cooljai1
ID: 11828975

What about using the MAC address way and denying all the IPs except the DHCP ones on the firewall?
0
 

Accepted Solution

by:
ke4sfq earned 250 total points
ID: 11864941
The 3com 4400 is a very nice layer 4 switch.  Therefore you can implement layer 4 rules such as blocking port 80 for a particular access list.  It can also do port learning and learn the mac addresses you have online now and you could block all unknown mac addresses in the future and add new machines you buy.  I use them for automatic VoIP prioritization of voice protocols and do not know how to specifically do the port blocking you require.  But in my experience, 3com has some very experienced support staff and your sales person should be able to connect you to your district representative for 3com who should be able to answer your question or find someone who can at 3com without charging.  if you call 3com support, you have to have a support agreement but if you go through your local sales staff, they will usually help you out to get more sales later.  
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

What’s a web proxy server? A proxy server is a server that goes between clients and web servers, used in corporate to enforce corporate browsing policy and ensure security. Proxy servers are commonly used in three modes. A)    Forward proxy …
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now