?
Solved

Centralized MAC filtering device

Posted on 2011-10-26
9
Medium Priority
?
848 Views
Last Modified: 2012-05-12
Hey everyone,

I've seen quite a few posts on here regarding this question in general but nothing that seems to address my needs in particular. Here's the situation:

We supply fibre directly to some of our supervisors so at any time they can bring a laptop home and connect to our corporate network. How do we ensure that our corporate laptop is the only device being plugged into our network? (ie. his son plugs into the router we have setup on our corporate VLAN and his machine has a virus on it)

I know you can configure Windows Server 2008 R2 to use a white list to assign DHCP addresses. But that doesn't stop someone from using a static address.

I suppose you could do it at the core switch but that poses 2 problems for us - 1) we don't run that transport gear so we'd be depending on another company to ensure that its being enforced and 2) if we want to do this internally that could make configuration and management very cumbersome and time consuming I'm thinking.

So I was thinking of something that is centrally managed. I know our local municipality uses a Juniper IC 4000 box for this but I know nothing about them.

Any suggestions?
0
Comment
Question by:ITGeneral
  • 3
  • 3
  • 3
9 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 37037385
It's called NAC, and it's a joke for the most part. Mac address's can be spoof just so you know, so most secure NAC installs use 802.1x protocol, certificates installed on your allowed machines that authenticate the machine at the switch level before the users even logon. 802.1x is a large pain in the ass, and could be bypassed if your VOIP phones have a pass-thru port in them, if someone uses a Hub on the network, and if you use a VM on an allowed host and use the NAT option.
NAC aim's to assess the host's "posture" if it's patched, av is running and up to date etc... This makes little difference in securing the internal network, backdoor's and user abuse all get around NAC quite easily.
I've tested all the NAC's there are...
PacketFence, ImpulsePoint, Symantec-NAC, Cisco-NAC, Bradford, Aruba, and Forescout. All are over priced and all work to a varying degree. Overall ForeScout is the better choice, but if it's just MAC address control you want, it's overkill. The free NAC from StillSecure would probably be all you need

We've being trying NAC for the past 5 years, our CSO has a real hair up his a$$ to get this done, and just before he left the company we convinced him we didn't need it. Someone comes in with a virus or backdoor, NAC won't make a difference really. It could be our user, it could be a guest.... NAC will only mitigate the guest at best. Best thing to do is provide wifi to guests that only has access to the internet, and whitelist your host's in your other wifi(if any).
-rich
0
 

Author Comment

by:ITGeneral
ID: 37037527
Thanks for the input Rich. Personally I have the same concerns regarding MAC spoofing so I don't really see the point. If all of these devices can be circumvented using that method then whats the point right?

Perhaps we need to look at this a bit differently and change our policy on users who have direct fibre access from their homes into our corporate network. We can still supply them with fibre, just not to our corporate network. Force them to use the VPN client which requires a certificate and network credentials.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 37037685
Use a "jump box", your users connect to your network (direct/vpn/local) but to get to sensitive resources they have to RDP into a server, or they RDP into a hardened server they can work from. This way it doesn't matter what box they come from, theirs or someone elses, infected and not patched, the RDP session takes care of that 99%. There are worms that are trying to spread via RDP but typically they are not piggy backing a valid session, rather they try to rdp to servers that use bad passwords:
http://www.f-secure.com/weblog/archives/00002227.html Using RDP/Citrix in the fashion is sort of a poor mans DMZ.
-rich
0
Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

 
LVL 26

Assisted Solution

by:Soulja
Soulja earned 500 total points
ID: 37038258
Just to add. Cisco does offer MAB Profiling in there last version of NAC and current versions of ISE. MAB profiling will prevent the spoofing issue by not just considering the MAC address for authentication, but other customizable attributes as well.

I am somewhat surprised at Rich's statement "802.1x is a large pain in the ass, and could be bypassed if your VOIP phones have a pass-thru port in them, if someone uses a Hub on the network, and if you use a VM on an allowed host and use the NAT option". Especially considering your security experience. These loopholes have all been addressed, at least in Cisco's part. You can put the swith ports in certain 802.1x modes that won't allow a hub to be connected to the port.  The interfaces also recognize a pc being plugged through a phone and still require 802.1x authentication for the pc, separate from the phone. I am currently is a global Cisco ISE project and have personally proven these concepts.
0
 

Author Comment

by:ITGeneral
ID: 37038310
Thanks Soulja, I've actually contacted the IT department for our municipality and had a chat with them about their Juniper and Great Bay gear. Sounds like it does address a lot of Rich's concerns. The price for all this I've noticed is quite steep.

Figure $10k for the Juniper IC-4000 (if thats in fact what we need and using Juniper as the example - we would probably prefer Cisco as all our existing infrastructure is all Cisco already  but I can imagine Cisco's version is not cheaper). So $10k x2 (redundancy is a must - can't have people not being able to get on the network), $14k per 100 end points, plus whatever else I'm missing (failover license to the second box?)

Of course I guess the point is would you rather pay the $34k or end up on the evening news......

0
 
LVL 26

Expert Comment

by:Soulja
ID: 37038409
If you have Cisco gear, I would go with the Cisco offerings. By no means are they cheap though. We are implementing Cisco ISE loaded on Cisco UCS C210 chassis. This is for a global bank, so security is a must.
0
 

Author Closing Comment

by:ITGeneral
ID: 37038452
Good points brought up by both users. I think we'll look at a whitelist for our corporate wifi (its not that big) and will have a look at Cisco NAC offerings though we may try and tighten things up just by changing the way we allow users to connect in to our network.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 37038548
Just to add. The way we have our solution set is each port is set to use flex authentication. Basically, that means if the device has 802.1x enabled and authenticates it is allowed onto the network. (We are using machine authentication, by having ISE check Active Directory for the computer account). If 802.1x fails, it tries MAB (Mac Authentication Bypass). If that fails, it tries failed over to Web Authentiction. This is for our guest access. This redirects the guest device to a web portal to log into. Upon successful authentication the device is place up a guest vlan that is restricted from the corporate network and has proxied internet access using WCCP.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 37038738
Any pass-thru will do, be it a ad-hoc wifi access point in a laptop(route through the lan nic), in a workstation add a second NIC and NAT through the approved (802.1x) nic. My DD-WRT allows me to install 802.1x certs and clone mac's, so all my host's on the WAP get though all the NAC's we tested (cisco etc...) Save when agents are the requirement.
The main point, that I've come to conclude from NAC, is it's a band-aid on a cancer. If you don't have the process setup, your just making more work and spending money in the wrong place. There are so many redundancies introduced with NAC's (av checking, patch level checking, controlling access...), access control can be applied at so many level's already, who needs yet another. Logon rights, NTFS ACL's, logon hours, Web rights, firewall ACL's (OS level, hardware level).
This however is the harder pill to swallow...
If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. — Bruce Schneier
-rich
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we’ll look at how to deploy ProxySQL.
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question