?
Solved

How to prevent unknown computers from accessing the network?

Posted on 2012-08-30
17
Medium Priority
?
971 Views
Last Modified: 2013-11-29
Points of My Scenario:
1. I am admin of a Windows 2003 domain
2. There are approximately 300 IP hosts
3. The CIO wants to prevent building visitors from plugging into an Ethernet wall-jack and getting an IP address from DHCP (or using an unauthorized static IP)
4. Client/access switches are Cisco Catalyst 4506E models
5. DHCP server runs Windows Server 2003
QUESTION:
What feasible options are available to ensure that only 'known' devices are allowed to connect to the network (whether by DHCP or static IP)?
0
Comment
Question by:waltforbes
  • 6
  • 5
  • 2
  • +4
17 Comments
 
LVL 9

Expert Comment

by:djsharma
ID: 38352630
Disable all your unused switch ports.

DHCP, Static IPs, and AD have very little to do with your security from an outsider trying to gain access.

If you don't want to flat out disable the ports I'd suggest putting all "extra" switch ports in a VLAN that has its own DHCP server and doesn't route to anything else on your network. Then monitor that DHCP server for any leases and track down where people are randomly plugging in. If you really want you could setup a captive portal on that VLAN explaining why they aren't able to browse the internet
0
 
LVL 20

Expert Comment

by:wolfcamel
ID: 38352698
some switches you can do mac address restirctions - it will take some time to set up, but you can configure them so that only certain PCs can plug in based on their mac addresses.
0
 
LVL 18

Expert Comment

by:web_tracker
ID: 38352851
Eventhough I agree having mac restrictions can solve this issue, but he can cause a problem everytime you want to deploy a new computer. It can also cause problems with ligitimate users who may use their laptops to log into the system. Some users may use both a laptop and a desktop as part of their job, as they may work at several locations. I guess you can enter the mac address of these systems into the data base so they are not restricted,
0
Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

 
LVL 20

Expert Comment

by:wolfcamel
ID: 38352888
getting an Ip address is not necessarily the end of the world - depending on the rest of your network config.
they shouldnt be able to access the servers or workstations
and internet access will depend on your firewall setup.
find out what the REAL concern is and see if restricting DHCP is the best solution
0
 
LVL 17

Expert Comment

by:Sikhumbuzo Ntsada
ID: 38353412
I read this, NOT tested it, have a look at it.

Maybe create a test lab and see if it works.

http://www.codedigest.com/Articles/Directory%20Service/67_Securing_your_network_using_Microsoft_Windows_DHCP.aspx
0
 
LVL 3

Expert Comment

by:pistanu
ID: 38353534
802.1x, authenticate localc users with AD credentials.you can mac groups, every group assign a vlan, restrictions per vlan etc.
0
 
LVL 6

Expert Comment

by:mo_patel
ID: 38358602
this can depend on your existing setup... if you have VLANS setup, and on your kit

have it so that even if someone plugs into a network port, as that port on the switch isnt live they cant do anything.

this way your always in control, and if they do need access then all you do is patch a lead from the patch panel to the switch port, log on to the switch and assign that switch port the relevant VLAN access.....
0
 

Author Comment

by:waltforbes
ID: 38361411
To pistani:
Using 802.1x, how will a user be able to present AD credentials for authentication to the switch before (s)he gets an IP address?

To Santasi24:
Is there a way to set the dhcp classid by group policy?

To djsharma:
I understand you to say that I should disable unused ports until legitimate use is requested; otherwise, place them in a 'no-where' VLAN.
0
 
LVL 3

Expert Comment

by:pistanu
ID: 38362489
http://en.wikipedia.org/wiki/IEEE_802.1X, 802.1X uses Extensible Authentication Protocol.
0
 
LVL 3

Expert Comment

by:pistanu
ID: 38362548
The IEEE 802.1x standard is simply a standard for passing EAP over a wired or wireless LAN,
without PPP. With 802.1x, EAP messages are packaged in Ethernet frames and don’t use
PPP.This is beneficial when the rest of PPP isn’t needed, where protocols other than TCP/IP are
used, or where the overhead and complexity of using PPP is undesirable. 802.1X is especially
well suited for wireless LAN applications as it requires very little processing power on the part
of the Authenticator. In wireless LAN applications, the Authenticator is the Wireless Access
Point (WAP).
0
 

Author Comment

by:waltforbes
ID: 38363501
To Pistanu:
Thanks for the info; however, I was wondering what the user experience would be: would a special pre-boot client/agent present a logon popup for the authentication before the OS loads? Or will the user have to logon to Windows with a local account, authenticate, get an IP, then log off and finally log on with a domain account?
0
 
LVL 3

Expert Comment

by:pistanu
ID: 38363529
almost all os's have 802.1x capable, even some printers have this options, if not they auth with mac addr.

You can logon with your AD credentials no login/logoff, and enter in you domain.
0
 

Author Comment

by:waltforbes
ID: 38368388
To pistanu:
Does this mean that a user will fail to get an IP address ONLY if (s)he logs on to the workstation with a local account?
0
 
LVL 3

Expert Comment

by:pistanu
ID: 38368453
if he logs with a local account, then to in order to get an ip he needs to log with AD credentials.so log in with local account then authenticate in 802.1x.
0
 

Author Comment

by:waltforbes
ID: 38381276
To pistanu:
You've stated that the user [can] "log in with local account then authenticate in 802.1x" - how can a user initiate the 802.1x authentication while logged on locally: is there some third-party software/agent required to authenticate to AD while logged on locally?
0
 
LVL 3

Accepted Solution

by:
pistanu earned 2000 total points
ID: 38382006
disable/enable LAN connection, or unplugged/plugged the network.but why do you need to reauth, its an automated task.once there is only one user/pc you dont need to auth every day.
it comes with windows 802.11x only for some linux distributions is a third party- xsupplicant soft.
0
 

Author Closing Comment

by:waltforbes
ID: 38398762
Many thanks for the patient, informative help. Please forgive the delay!
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question