Solved

Need advice on how to block Windows XP in a multi OS network

Posted on 2014-02-19
7
1,067 Views
Last Modified: 2014-03-05
Hello all -

I have been asked if there is a possible way to block Windows XP machines from accessing our network.
At a glance -
We have about 1K stations (mostly Windows 7)
We have a large WAN across several T1 and fiber circuits
99% of the network devices are Cisco (28XX routers and 35XX switches)

Without having the budget to acquire a NAC on the fly and with a request from our management to block Windows XP machines I wanted to know if there is a way to identify the XP devices at the network devices and somehow block them from there.

I have been reading on ways to do it using DHCP fingerprinting but I'm not getting anywhere.

I also looked at open source options (PacketFence) but the set up might be an issue for us,

Any advice on this subject?
0
Comment
Question by:CocoCounty
7 Comments
 
LVL 12

Assisted Solution

by:Henk van Achterberg
Henk van Achterberg earned 125 total points
ID: 39872539
The only option I can see is pro actively scanning the network with nmap with the fingerprinting option on. When XP is detected make a dhcp exception for it with a wrong gateway so it does not reach the internet.

There is no safe and sound solution for this problem without NAC.

Another "option" is to put a captive webportal in between which will check your OS and block you if you have Windows XP. But with 1k workstations that can be a pain in the ass.
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 250 total points
ID: 39872690
Can you do 802.1x on your network? I didn't need to purchase anything when I implemented it on my network several years ago. If all of your authorized computers are domain members 802.1x should work quite well for you, and it helps to keep unauthorized devices off the network, not just Windows XP.
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 250 total points
ID: 39872720
For 802.1x, all you need is NPS or IAS server(s) and a certificate authority, both of which are readily available in a Windows server environment.
@CoCoCounty, If your handle means Contra Costa County, I work nearby if you need a local resource.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 61

Accepted Solution

by:
btan earned 125 total points
ID: 39873193
The host OS fingerprint typically is passive based
1) IP  TTL and TCP Windows size e.g. 128 and 65535 respectively
2) DHCP (as you mentioned) and you may want to check out "Fingerbank" )
3) User agent in HTTP header e.g. “Windows NT 5.1”

However for effective blocking, NAC is still something worth looking into. There is one such free and Open Source network access control (NAC) solution called PacketFence. It uses fingerprints as above ...
@ http://www.packetfence.org/en/about/advanced_features.html#c1484

.. and supports several isolation techniques, including VLAN isolation with VoIP support (even in heterogeneous environments) for multiple switch vendors
@ http://www.packetfence.org/about/supported_switches_and_aps.html#c1482
0
 

Author Comment

by:CocoCounty
ID: 39873653
I would like to thank you all for your responses.

I believe we are going to try NPS first and then, if we have to, PacketFence.

Kevin - Not in Contra Costa, but thanks for the offer, i will keep that in mind.
0
 

Author Comment

by:CocoCounty
ID: 39873673
I intended to make all answers as correct but it only marked the last comment as such. I apologize for that.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
SSL RA VPN 7 78
Old Cisco access point to act as Repeater 5 42
Security Alert 2 45
Best iPhone Wireless Strength Tester 3 25
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now