Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1151
  • Last Modified:

Need advice on how to block Windows XP in a multi OS network

Hello all -

I have been asked if there is a possible way to block Windows XP machines from accessing our network.
At a glance -
We have about 1K stations (mostly Windows 7)
We have a large WAN across several T1 and fiber circuits
99% of the network devices are Cisco (28XX routers and 35XX switches)

Without having the budget to acquire a NAC on the fly and with a request from our management to block Windows XP machines I wanted to know if there is a way to identify the XP devices at the network devices and somehow block them from there.

I have been reading on ways to do it using DHCP fingerprinting but I'm not getting anywhere.

I also looked at open source options (PacketFence) but the set up might be an issue for us,

Any advice on this subject?
0
CocoCounty
Asked:
CocoCounty
4 Solutions
 
Henk van AchterbergCommented:
The only option I can see is pro actively scanning the network with nmap with the fingerprinting option on. When XP is detected make a dhcp exception for it with a wrong gateway so it does not reach the internet.

There is no safe and sound solution for this problem without NAC.

Another "option" is to put a captive webportal in between which will check your OS and block you if you have Windows XP. But with 1k workstations that can be a pain in the ass.
0
 
kevinhsiehCommented:
Can you do 802.1x on your network? I didn't need to purchase anything when I implemented it on my network several years ago. If all of your authorized computers are domain members 802.1x should work quite well for you, and it helps to keep unauthorized devices off the network, not just Windows XP.
0
 
kevinhsiehCommented:
For 802.1x, all you need is NPS or IAS server(s) and a certificate authority, both of which are readily available in a Windows server environment.
@CoCoCounty, If your handle means Contra Costa County, I work nearby if you need a local resource.
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 
btanExec ConsultantCommented:
The host OS fingerprint typically is passive based
1) IP  TTL and TCP Windows size e.g. 128 and 65535 respectively
2) DHCP (as you mentioned) and you may want to check out "Fingerbank" )
3) User agent in HTTP header e.g. “Windows NT 5.1”

However for effective blocking, NAC is still something worth looking into. There is one such free and Open Source network access control (NAC) solution called PacketFence. It uses fingerprints as above ...
@ http://www.packetfence.org/en/about/advanced_features.html#c1484

.. and supports several isolation techniques, including VLAN isolation with VoIP support (even in heterogeneous environments) for multiple switch vendors
@ http://www.packetfence.org/about/supported_switches_and_aps.html#c1482
0
 
CocoCountyAuthor Commented:
I would like to thank you all for your responses.

I believe we are going to try NPS first and then, if we have to, PacketFence.

Kevin - Not in Contra Costa, but thanks for the offer, i will keep that in mind.
0
 
CocoCountyAuthor Commented:
I intended to make all answers as correct but it only marked the last comment as such. I apologize for that.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now