Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Preventing Static IP's

Posted on 2009-02-18
25
Medium Priority
?
888 Views
Last Modified: 2013-12-04
I need to find a way to prevent laptops that are using our wireless network from assigning themselves a static IP.

Let me give you a little background on our network:

- We are a high school
- We are using multiple 3Com 4500G Switches
- Our wireless network is a 3Com Managed WX2200 w/ around 45 AP's
- School owned computers have Static IP's - Student laptops have reserved DHCP
- We have a NAC that sits infront of our DHCP server to enforce policies before a laptop or outside computer can gain access to the network.
- We are using a 10.x.x.x Class A IP scheme. No VLANs or routers.  

What we are finding is that students are becoming wise enough to figure out how to get around the NAC enforced policies by putting a static IP on their computer prior to making a wireless connection. Because the NAC sits in line with the DHCP server, if the NIC never requests a DHCP, it never gets challenged by the NAC.

I need to know if there is a way to keep users from being able to put a static IP on their computer and gain access to the network. Is there a way that I could use the switches, by where I provide it a list of MAC addresses that should be requesting DHCP and if they dont, block them???

Any and all solutions are welcomed :) Thanks in advance!
0
Comment
Question by:fgarufijr
  • 9
  • 9
  • 2
  • +3
24 Comments
 
LVL 8

Expert Comment

by:ccpjc
ID: 23677392
are the laptops personal or school provided?

if school provided, enforce the GPO and take away their abilities to change the network settings
0
 

Author Comment

by:fgarufijr
ID: 23677397
They are student owned. They are also in their own personal workgroups and not part of our domain
0
 
LVL 8

Expert Comment

by:ccpjc
ID: 23677432
I don't know what kind of firewall/router you're running but this is how i would accomplish something like this
Currently I'm running sonicwalls in my locations

I would add an access rule that, if any IP's that range from 10.x.x.x - 10.x.x.x (static) would have denied access to all, i would also assign those computers that have legitimate static ip's access to gain what they should be able to
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 3

Expert Comment

by:rbeckerdite
ID: 23677434
I would create a vlan for the wireless..  Install a transparent proxy on that vlan so that you can button down the access. to everything that should discourage their desire to modify their IP settings.
0
 

Author Comment

by:fgarufijr
ID: 23677471
I appreciate the two other solutions, but I dont think they will work too well, given our current enviornment.

I'm not really worried about them having internet access. What I am worried about is all the P2P they are doing at home, dont have anti-virus and are completely infected, then they come here and infect our network. I dont want them gaining access if they dont have an up to date AntiVirus, all MS patches, etc. Our NAC does a very good job of this, but again, if the client isn't requesting a DHCP, the NAC cant enforce any policies.

An additional VLAN *might* be something I can do in the future for wireless access, but as of right now, its really not a possibility. Students need to be able to access their home directories on the student servers and other network resources. I know you can create rules in a proxy / router to allow these things, but its way too far into the school year right now to make any huge changes like this. That would need to be done over summer break, etc.
0
 
LVL 7

Expert Comment

by:Morne Lategan
ID: 23677635
Can you elaborate on how your NAC works. Do you have client software installed on the laptops? And do you use vlan's or ARP to enforce policies? Does the NAC challenge anything that sends a packet through it?

If it challenges anything that sends a packet through it, you might configure a replication port on the switch. That way traffic from the entire WAN will be replicated to it, not just the packets destined for the DHCP server and your nac can then quarentine it accordingly through vlan/ARP/...
0
 
LVL 5

Expert Comment

by:winthropj
ID: 23677671
Yeah you need to setup a seperate VLAN. I have a seperate wireless network on a seperate vlan for machines that come into my buildings. I provide a couple of printers but they don't come onto the school network. The school network is not broadcast and uses machine auth and IAS(radius).

Is there any security on the wireless network, WEP, WPA.....?

Your equipment can definately support a setup like this.
0
 

Author Comment

by:fgarufijr
ID: 23677813
The NAC can only enforce policies for those clients requesting a DHCP. It sits in line and in front of the DHCP server. A request comes in for DHCP and the NAC immediately tests the machine. If it passes, the client is able to aquire a DHCP address. If it fails, the NAC quarantines it into a seperate subnet. The client then has the ability to make the corrections needed and be retested. If successful, NAC releases it from quarantine and it gets a DHCP.

We currently use WPA2-Enterprise with IAS and authenticate users through Active Directory.
0
 
LVL 3

Expert Comment

by:rbeckerdite
ID: 23677919
Do they need to access resources on your school network? what services are you providing the clients? I think your only real option is to put these client in a vlan. If that won't work i would discuss with the administration disabling the wireless until you can implement one.  WIth no control of the clients your concerns are valid and they are basically allowing external parties (spyware, bots, etc.) access to whatever these clients have access to.  There are devices that interrogate a clients patch levels and firewall status but they usually require the computers be something you own.  without installing client software on the computers you are really stuck putting them in a different zone to secure your production network from them.  I completely sympathize with your positon but i think you MUST express the extreme risk that they are introducing to your network and other students by not restricting this.
0
 

Author Comment

by:fgarufijr
ID: 23677927
Yes... There are a bunch of resources they access on the school network which would  make putting them in a VLAN a difficult task. Not an impossible one, but definitely difficult.

Basically, the way I see it is that the NAC is doing its job. There is just a hole that I need to plug to ensure they cant circumvent it.
0
 
LVL 3

Expert Comment

by:rbeckerdite
ID: 23678020
So what about denying the innappropriate IP addresses in a remote access policy? This link talks about writing a parameter for a remote access policy that might work for you.  I think this might allow you to block out the fixed ip's you don't want them using

http://technet.microsoft.com/en-us/library/cc737419.aspx
0
 
LVL 3

Expert Comment

by:rbeckerdite
ID: 23678039
Oh it says something under IP that the server must provide IP address i think this is exactly what you are asking for:
http://technet.microsoft.com/en-us/library/cc786581.aspx
0
 

Author Comment

by:fgarufijr
ID: 23678040
I'm a bit loss on this one... How would I accomplish this? We are using a Class A 10.x.x.x. With this being the case, a student can easily pick, at random, an IP address and gain access.

Example : The student could try the following until he gained access...

10.240.5.1
10.80.246.4
etc.

0
 
LVL 3

Expert Comment

by:rbeckerdite
ID: 23678048
the Access rule would deny access if the ip address was not provided by the server.  How does that sound.. I can't test it but i think this is the implementation that would solve the problem they way you want.
0
 

Author Comment

by:fgarufijr
ID: 23678075
I definitely think your on to something here!

Here's what I dont know... "Server mus supply an IP address"... Does this mean the IAS server has to supply the IP through DHCP???

I have two IAS servers but my DHCP server is seperate from these two IAS servers.

I tried finding something on that in those write ups, but it doesn't define too much what "Server must supply an IP address" is...
0
 
LVL 3

Expert Comment

by:rbeckerdite
ID: 23678090
Haha.. Yeah i saw that is well but the dhcp addresses are typically reserved by the RAS server and then given to the Client so "provided by the server".  That doesn't necessarily refer to the server actually being the dhcp server.    Here is the step by step to set it up:

To configure IP options
Do one of the following:

Open Routing and Remote Access and, if necessary, double-click Routing and Remote Access and the server name.

Open Internet Authentication Service and, if necessary, double-click Internet Authentication Service.

In the console tree, click Remote Access Policies.

In the details pane, double-click the remote access policy that you want to configure.

Click Edit Profile.

On the IP tab, specify any required settings.

P.S. I personally really dislike misuse of systems. That is why i am really trying to help.  The few ruining things for the many.... ..  When people complain about passwords, encryption, patches, firewalls just explain this situation.. and the many like it.
0
 

Author Comment

by:fgarufijr
ID: 23678098
This sounds great! :)  I REALLY appreciate your help! :)

When I go into the office tomorrow I will try this first thing... I'll then come back and assign the points to you :)

I'll post back and let you know how it goes :)
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 23704450
802.1x is your answer. This is NAC 101... is this symantec nac? Are your users required to have SEP installed? (if this is symantec that is) What needs to happen, is the client software on the machines needs to pass the NAC checks, and the only way to force that is 802.1x.
http://www.informit.com/articles/article.aspx?p=653377&seqNum=4
http://en.wikipedia.org/wiki/802.1x
You can think of 802.1x as a white-list or access list. To pass traffic, the wifi access point will ask for 802.1x auth, if the users don't have it enabled (it is enabled by default on all wifi nic's) they won't ever be able to auth or pass traffic until they do enable and pass auth. To pass auth the WAP can rely on radius, AD, ldap etc... but in your case, your 802.1x config on your WAP's will point to your NAC and the nac will then run it's scan's, and pass/fail the users based on that, as well as a username/password if you wish. Need more info about your NAC solution and if your users have NAC clients installed. If you rely on "desolvable" clients, this then assumes that your users are 1 using windows, 2 admins of their laptops. If either of those are not true, disolvable clients don't work as far as I know.
-rich
0
 
LVL 3

Expert Comment

by:rbeckerdite
ID: 23781330
Did the access rule help the situation?
0
 

Author Comment

by:fgarufijr
ID: 23801521
Hi rbeckerdite...

I'm pretty sure I did everything correctly and yet its still allowing me to connect to the network with a static IP. I just made the one change :

IAS Profile -> Edit Profile -> IP -> Server must supply an IP address

Yet if I put a static IP on my laptop, I still gain access to the network.

Am I doing something wrong?
0
 
LVL 3

Expert Comment

by:rbeckerdite
ID: 23801881
I am wondering if the policy application is in the right order?
0
 

Author Comment

by:fgarufijr
ID: 23801920
What should I be looking for?
0
 
LVL 3

Expert Comment

by:rbeckerdite
ID: 23802089
I would see if there is an approval rule that bypasses this criteria. Make sure the policeis apply in the right order.  It is tough testing this in a  production environment.  It might be a little deep for me site unseen to ocnfigure IAS policies.  Hmm.. maybe post a screenshot of the policy section or just read through it and check the flow of policies.  

Try this with "Users who do not have access can login"
http://technet.microsoft.com/en-us/library/cc786978.aspx
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 2000 total points
ID: 23805400
You cannot accomplish what you want without enabling 802.1x on the switch...
Please read: http://www.microsoft.com/downloads/details.aspx?FamilyID=05951071-6b20-4cef-9939-47c397ffd3dd&displaylang=en

page 12:
Deploy your authenticating switches to provide network access for your wired network. Configure your authenticating switches to support 802.1X authentication and RADIUS. Configure the RADIUS settings on your authenticating switches with the following:
1.      The IP address or name of a primary RADIUS server, the shared secret, UDP ports for authentication and accounting, and failure detection settings.
2.      The IP address or name of a secondary RADIUS server, the shared secret, UDP ports for authentication and accounting, and failure detection settings.
-rich
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question