Solved

Need advice on how to block Windows XP in a multi OS network

Posted on 2014-02-19
7
1,085 Views
Last Modified: 2014-03-05
Hello all -

I have been asked if there is a possible way to block Windows XP machines from accessing our network.
At a glance -
We have about 1K stations (mostly Windows 7)
We have a large WAN across several T1 and fiber circuits
99% of the network devices are Cisco (28XX routers and 35XX switches)

Without having the budget to acquire a NAC on the fly and with a request from our management to block Windows XP machines I wanted to know if there is a way to identify the XP devices at the network devices and somehow block them from there.

I have been reading on ways to do it using DHCP fingerprinting but I'm not getting anywhere.

I also looked at open source options (PacketFence) but the set up might be an issue for us,

Any advice on this subject?
0
Comment
Question by:CocoCounty
7 Comments
 
LVL 12

Assisted Solution

by:Henk van Achterberg
Henk van Achterberg earned 125 total points
ID: 39872539
The only option I can see is pro actively scanning the network with nmap with the fingerprinting option on. When XP is detected make a dhcp exception for it with a wrong gateway so it does not reach the internet.

There is no safe and sound solution for this problem without NAC.

Another "option" is to put a captive webportal in between which will check your OS and block you if you have Windows XP. But with 1k workstations that can be a pain in the ass.
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 250 total points
ID: 39872690
Can you do 802.1x on your network? I didn't need to purchase anything when I implemented it on my network several years ago. If all of your authorized computers are domain members 802.1x should work quite well for you, and it helps to keep unauthorized devices off the network, not just Windows XP.
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 250 total points
ID: 39872720
For 802.1x, all you need is NPS or IAS server(s) and a certificate authority, both of which are readily available in a Windows server environment.
@CoCoCounty, If your handle means Contra Costa County, I work nearby if you need a local resource.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 63

Accepted Solution

by:
btan earned 125 total points
ID: 39873193
The host OS fingerprint typically is passive based
1) IP  TTL and TCP Windows size e.g. 128 and 65535 respectively
2) DHCP (as you mentioned) and you may want to check out "Fingerbank" )
3) User agent in HTTP header e.g. “Windows NT 5.1”

However for effective blocking, NAC is still something worth looking into. There is one such free and Open Source network access control (NAC) solution called PacketFence. It uses fingerprints as above ...
@ http://www.packetfence.org/en/about/advanced_features.html#c1484

.. and supports several isolation techniques, including VLAN isolation with VoIP support (even in heterogeneous environments) for multiple switch vendors
@ http://www.packetfence.org/about/supported_switches_and_aps.html#c1482
0
 

Author Comment

by:CocoCounty
ID: 39873653
I would like to thank you all for your responses.

I believe we are going to try NPS first and then, if we have to, PacketFence.

Kevin - Not in Contra Costa, but thanks for the offer, i will keep that in mind.
0
 

Author Comment

by:CocoCounty
ID: 39873673
I intended to make all answers as correct but it only marked the last comment as such. I apologize for that.
0

Featured Post

Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question