Solved

Setting up policy based networking on an NT domain

Posted on 2004-08-17
5
274 Views
Last Modified: 2010-04-11
I have been tasked with researching possible ways to setup a policy based network.  Our network is seeing more and more corporate visitors and currently they are given an ethernet cable and off they went.  We are on an NT domain that is locked down quite tightly, however would like to take it a step further by limiting guest access to port 80 only (possibly 110, 25, etc) no matter what physical port they are connected with.  Eventually, I would also like to be able to restrict network access even for authenticated users that do not have current virus DAT files.  However, that's down the pipe yet.  

Thanks for the suggestions,

Mike
0
Comment
Question by:mgrass
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 15

Expert Comment

by:adamdrayer
ID: 11826523
are you using a switch?  a firewall? what model?
0
 
LVL 15

Accepted Solution

by:
adamdrayer earned 500 total points
ID: 11826529
0
 
LVL 1

Author Comment

by:mgrass
ID: 11827183
I'm running three Dell PowerConnect 3348s for switches and a Linux based firewall.  I have used ISA 2000 in the past but wasn't happy with it.  I've loaded up ISA 2004 from my MSDN subscription on an older workstation box to play with, but haven't had the time.  If I recall correctly, it was the proxy portion of ISA that bothered me the most.
0
 
LVL 1

Expert Comment

by:Jachin
ID: 11828584
I'm not sure what the 3348s can do but one solution would be to place another firewall between all the client machines and your servers. This way you can only allow port 80 through and nothing else.

If you had cisco switches you could also configure Vlans for your servers and then setup access lists on your router to only allow certain traffic between vlans.

Perhaps it would be worth holding off a while until Cisco get their new products out. They are working towards Layer 2 authentication. So as soon as you plug a device into a port on a switch you need to provide some credentials before you even get a physical link. Then you can have the deviced moved into a separate VLan if the antivirus isn't up to date.

Cisco call it self-defending networks. http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns413/networking_solutions_package.html
0
 
LVL 15

Expert Comment

by:adamdrayer
ID: 11829194

the problem is that you would like to control access based on windows user account.  I don't know if ISA can do this, but if it can, I bet it's the only solution.  After the DC authenticates your session, all internet traffic travels directly to your gateway/firewall.  This means that it doesn't really pass through any hardware that can test for credentials.  ISA server being a microsoft product has Active-Directory Integration and LDAP-connectivity, so I assume you would be able to do it that way, but I'm not positive.

Any other solution would involve a physical or logical seperation of computers from the rest of the domain.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question