• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 259
  • Last Modified:

Restricting LAN Access to Non-Domain Specific Clients

I have an LAN environment where outsiders may come in and want to use our network for internet.  Since their machine is not in the domain, I want to be able to differentiate between company machines which I want full access, and a foreign machine that I would restrict to port 80 only.  Is there any software reccomendations out there or places someone can point me to so I can acquire the knowlege of this project?  I thought about a second WIC card or a VLAN, but I want the person to be able to get access from anywhere in my building, which may be an empty office.  Thanks in advance.
0
csjackson
Asked:
csjackson
  • 4
  • 2
  • 2
  • +1
2 Solutions
 
ZoidlingCommented:
How 'bout giving your guests wireless-only access?  This makes it easy to segregate them from your private network.  Assuming your router has the capability, set up a DMZ and put the wireless access point in the DMZ.  You then have control over LAN-DMZ and DMZ-internet traffic if you want to lock down everything from DMZ to internet except for port 80.  Set up the WAP to not broadcast the SSID and put together a FAQ for your guests on how to connect to your WLAN.
0
 
roadhog_NZCommented:
do you have packet filtering available on your router?
how is the clients ip assigned?
0
 
csjacksonAuthor Commented:
I know that I can do it in a wireless environment putting the wap on the DMZ and restricting access, but I want to be able to keep people from ignoring a policy and sitting down someplace and plugging the cat 5 in.  A policy is only good if it is enforable and I dont have that yet.  I want to have an environment that sees the machine is not a company pc and denies access immediately except to port 80 if it is not on a valid list.
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
roadhog_NZCommented:
hence assigning all ips in your environment with only a blocked range available for dhcp, course thats not practical in a large environment.
0
 
Naser GabajCommented:
I believe this is difficult to be done since they are not in the domain so you can choose the users to restict him from doing so.

I suggest to install one of those network traffic analysis softwares in a small PC and make it as a gateway (same principle of the NAT) and Put it infront of the router in order to make all traffic pass through it and to monitor their movements; then face those you suspect, with the reports given from the monitoring software.

Please find below a post about the monitoring users in the network
http://www.experts-exchange.com/Networking/Q_21423178.html

I hope this help you.

Regards

Naser
0
 
Naser GabajCommented:
Sorry i would add for that, if your concern is about your local network resources, you can activate the auditing of your critical shared resources from the domain controller.
0
 
csjacksonAuthor Commented:
The real issue is not to give reports or point a finger at the offending suspect, but to not allow the machine to get on in the first place.
0
 
Naser GabajCommented:
Sorry i didn't get your point? do you mean you want to prevent them instead of monitoring them, if yes i would say it's beyond my abilities, as i know, nondomain users are considered under everyone group without any more details

I believe this link can give you more details, have a look and let me know:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/d06a5070-2a7b-4e75-b7e9-ebe51f65e34b.mspx
0
 
Naser GabajCommented:
0
 
ZoidlingCommented:
I think roadhog_NZ had the right idea with segregation by IP address.  

If your environment is small enough, you can set up each domain member machine with a DHCP reservation that gives them an IP/subnet mask/gateway that provides full access to your domain resources.  If a machine plugging into the LAN doesn't have a reservation, it gets an IP from a different IP space with a different subnet mask & gateway (which ideally would be a proxy server, giving you stats and control over what is being accessed using your bandwidth).

If you're running Windows DHCP, reserved clients can have DHCP options such as IP address, subnet mask, gateway & DNS servers configured specifically for their use. Reserved client option values override any option parameters distributed via server-based, scope-based, or class-based options assignment.

This TechNet article is good background for Windows DHCP: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/3967ddab-0b28-4959-8b4d-3052c178731b.mspx

Once you've got the IP address separation going you can design your network or use other tools to lock down access for non-domain machines.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 4
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now