Security appliance to protect from inside threats?

I need direction. I need to protect a network from the inside. I have a PITA user who takes great pleasure in causing me trouble. His father is a network admin at some large company and must be coaching him. He admits nothing so can't be disciplined.  He does things like change IP's on machines to the same as another one, enable Wifi on the same machine that has a lan connection. Its a nightmare and makes me look bad since I can't prove its him. My only ammunition is that the problems stopped when he moved away, he came back 2 months ago and the same problems have started again.
Its a church believe it or not. I've been doing network assistance for lots of churches over the years and this is more common than you think especially with the band members who respect no security measures and think everything should be wide open like their house.
This is an A/D Domain so he can/t get anywhere he isn't supposed to go, but he does cause problems and is just annoying and I want to shut him down.

Anyway,  For starters I need a device or service that will deliver DHCP to machines I specifically list and for others either deny completely to respond or give then completely different settings to route them to an alternate network. And to kill the connection if he uses a static IP that doesn't not match the MAC address I assigned to it.

I know others have dealt with this kind of idiot, There isn't a lot of money available but there is some. I will be upgrading it from Windows server 2003 to 2012 very shortly, Their machines are already win7. I have budget for an upgrade and I'm looking for help. What else can I ask for to help this problem?
Who is Participating?
Zephyr ICTCloud ArchitectCommented:
You could "fingerprint" PC's, definitely Windows PC's using Network Policy and Access Services (NPAS), but this would imply you having control over the PC's to begin with.

If a "rogue" PC is plugged onto the network it will not be able to go online if NPAS is implemented correctly.

It works somewhat like checking the "health" of the PC/System before it can check in ...

More info:

Apparently there are also NAP clients for Mac OS X and Linux ...

It's still not foolproof, but it's something.
Zephyr ICTCloud ArchitectCommented:
How is he changing the IP-addresses or startup services that are disabled on these computers? Does he have administrator rights?

For starters I'd implement auditing on your computers, so at least you can check what and when things changed, and you have proof of it also, you can enable auditing on Windows 7 using these guidelines for starters:

Start creating AD policies to close everything down, to make sure nobody but you has the right to change things.

You could use DHCP reservations, but if you have a lot of computers it's not really a feasible task to administer it...

Switch port security (if you use Cisco or a competitor that offers the same) could be interesting, if budget allows for it or you already have it available to you (more info)

These just off the top of my head ...
Salad-DodgerAuthor Commented:
Does he have administrator rights?
Many programs used have no concept of permissions so if not run as admin, they don't run at all. In many cases when given the opportunity I am able to run through the registry and file permissions of the program and correct that behavior. But more often is the case where a Mac laptop will be brought in (He is a huge Mac Fanboy) , plugged in, configured by him and now others, without concern for anything else on the network.  

The people further up the food chain are aware that this is a problem, but due to the  unique culture of faith based organizations, combined with the lack of understanding of the core concepts, there is very little follow through and lots of forgiveness. I should just walk away but it has become a personal learning challenge and in the end will help me increase my experience. So thats why I stick it out.

 There are about 40 computers and an (intentionally) public wifi. 7 machines are on the business end and are locked down well, but the ones used for creativity, video capture and presentation are more open because things must often be done on the fly.
This arrangement works well when the users possess respect and restraint and that is where the system falls down.

I do use DHCP which I use to give a different DNS from the A/D domain (OpenDNS), I use Reservations to give the CORRECT DNS for the Domain, and I use static IP's for devices like printers and such, but thats just a smokescreen and simple to overcome.
The switch port security looks interesting, I will give that a look.
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

switch acls are the way but will be a pita to configure and probably cause problems later on. but it is the only bullet-proof way to make sure that the computer on the other side of the cable is limited to the expected ip and possibly mac address as well. you can configure individual acls for the sensitive machines, and a global acl on all other ports to make sure no one spoofs either their ip or mac address

also note that such security is builtin in wifi networks, so even though it looks foolish, switching everything to wifi should work quite efficiently ( he might be able to spoof the id and mac of another machine but it will be complicated, and as long as that machine is up, he will be the one to get kicked ). closing the wifi used by the 40 computers may or may not help depending on his skills. it is quite easy to retrieve the wifi password from a machine when you have admin privileges, and quite simple to airsnort as well.

fancy stuff such as redirecting to a different network is feasible, but it might be simpler to
- find out his mac address the first time he uses dhcp. if he is a mac fan and you don't have that many of them, you should be able to isolate it from the leases quite easily or by running a sniffer
- sniff all traffic for the corresponding mac address, proove that he messes with the network by configuring ips that are already assigned manually

note that you can do other things such as polling the arp tables of the switches on a regular basis which will also help identifying him

if you know where he is plugged, you can do a port copy and determine his mode of operation using the trace. he is probably not smart enough to vary much

... and get him kick-banned
Salad-DodgerAuthor Commented:
I caught him finally with enough egg on his face to get it taken seriously. He assumed the IP of the main projector computer during a service, besides showing dupliacte iP message on the big screen - it killed a remote broadcast they were trying to show the parishioners.  When I was asked what happened I explained that this was what I was trying to tell them about. A epiphany followed and I was formally asked to find a solution and he was asked to stay away from all equipment. While still denying everything.

While I will give the switch security a serious look, I was hoping there is an intrusion appliance that can handle all this for me. All I can find that is close is Snort and its open source brethren.  I would really prefer a box that doesn't require a lot of setup.

aleluyah ;) the epiphany is a good thing

then i'm pretty sorry about the other part : there is no magic bullet-proof solution

if you need to provide physical access to the wired LAN, the simplest is probably to stick the important machines on a different switch and a different network. it's difficult to be more precise not knowing what equipment you have

if you're compelled into using a single switch, you can define a series of ACLs that deny traffic to/from the IPs and MAC addresses you want to protect and apply them to every port except those where the legit devices are plugged

also note that it is indeed possible that he did not voluntarily do all this. his machine might just be configured with the same IP as the gateway and he might be dumb enough to have just fought trying to get internet access. the result would be random disruption of traffic for all other devices on the same network
Zephyr ICTCloud ArchitectCommented:
Yeah, like skullnobrains mentions, there is no magic solution for this ... Would make for a niche market if you could create one I think ... One that is easily configured, but it would be very expensive I think, unless it's open source.

Good thing they finally witnessed the situation, you'll have more "freedom" and believability now, which will make your life and work a tad easier I assume :)

Besides separate and closed down VLANs (separate networks like skullnobrains mentions) and port security, not much else to do, besides like you mentioned, maybe Snort... But I think it would be a little overkill in this situation (seeing the amount of configuring that needs to be done and such)
Would make for a niche market if you could create one I think ... One that is easily configured, but it would be very expensive I think, unless it's open source.

actually this seems pretty easy to create a device that would do this by providing port-specific dhcp addresses. alternatively ACLs can be set to only allow dhcp traffic in the first place and updated as the dhcp negociation goes on.

something like the following (that mimicks what happens with wifi networks)
on each port
- initially allow source broadcast MAC an IP
- receive first dhcp packet
- check for duplicate mac
- allow client's mac and IP
- provide the IP

up for the niche ? what about the name ?
Zephyr ICTCloud ArchitectCommented:
Restricted Access Device - R.A.D ... Does have a nice ring to it ;)

Yeah, seems doable, though the ideas are usually the easiest, and we would have to use current network providers unless we make an all software solution that works with all network devices ... My head already starts to hurt ;p
actually, i already did similar stuff that can be installed on barebone appliances. it might be interesting to integrate it in something like pfsense as well and use it on a router appliance with many ports. freebsd + pf + a dhcp server  with good logging capabilities or triggers should do the trick with reasonably easily. the long part would be the gui for non-automated stuff that a router requires

btw, it would become an industry standard pretty soon if it were done. experience prooves over and over that when smart people who have a clue create a new functionnality, cisco is usually as quick to catch up as they are slow to create anything new

nice name ;)
Zephyr ICTCloud ArchitectCommented:
I love pfsense, it's a great firewall (among others), would indeed be a nice extension.
yeah... going that way, maybe use a configurable static arp table and enforce corresponding rules in the firewall by rejecting anything that has one of the corresponding macs or IPS but is not on the configured port. no need for dhcp integration at first
Salad-DodgerAuthor Commented:
You guys are leaving me in the dust here :)

I find that switch port security disables the entire port when a machine is there that isnt on the list. Since I have dumb switches all over the place that feed legit machines, there is a great potential for an accidental inconvienance. What would be ideal is something that would route unauthorized machines though a specific port (witha different DHCP server and Gateway), or no port at all (leaving them dead in the water), while letting others work normally through the same port.

How would I accomplish that, and what hardware would be needed? I have an old HP 4000 switch and an old 2600 router. ANythign else will need to be bought.
sorry, we were spinning our wheels on something nice but that does not really exist yet. i'll assist if you want toi build it but i'd assume this is not what you want right now


what you CAN do is what i suggested above : configure ACLs that protect the machines you need to protect.

deny both the ARPs and IPs of each of the machine you need to protect on each of the ports that it is not plugged to

... but this is a major PITA to configure

it can be made reasonably simple if you stick all those machines on a single switch, and make that switch the master switch. then you can leave the rest of the network alone.

port security is just a commercial idiotic stuff for the reasons you stated above. it can be useful in locations where the one who kills the whole network gets fired though.

clearly, a dedicated physical network for sensitive machine is the only reasonable way to go. wifi is also a pretty good solution. if you post details on what you have configured and available hardware, maybe we can give better advise on how to devise something simple. include geographic constraints if you have some.
Zephyr ICTCloud ArchitectCommented:
I'm sorry that I can't contribute too much at the moment, too busy with a project, I'll try to catch up later in the evening maybe.
Salad-DodgerAuthor Commented:
I love it when you guys get started on these subjects but I'm finding that as I get older, its so much harder to keep up. But I keep trying.  

A single switch is not practical here. Distance and the ability to reach some buildings combined with the occaisional cluster of machines in a single location require additional switches. I could add manages switches if that helped.
sure. if you expect to setup ACLs, you definitely need managed switches. but then given the distance and such, a few wifi 5GHz dongles might be less expensive.

don't you have a way to isolate physically either of the networks ? if you can afford new switches, i'd assume it should be feasible somehow
Salad-DodgerAuthor Commented:
But I cant predict what will get plugged in where. often a device gets plugged in without my knowledge. if may have coem from a different part of the campus and be an authorized device, but it might move from room to room.
Ideally I would "authorize" a device and it could plug in anywhere. Unauthorized devices would still be able to connect to the internet, usually all they want to do, but not to the internal lan segment.
you mean that even the devices you are trying to isolate can be plugged randomly anywhere without your knowlege ? if so there is just no way you can prevent such things from happening. at best you can allow a list of mac addresses to communicate together excluding the rest of the world from communicating with them, but mac spoofing is easy.

you're still not giving any clear information regarding your setup, and i'm not even sure about what you try to acomplish
Salad-DodgerAuthor Commented:
yup, and when they get on a cable organizing binge they assume they can just plug it back in anywhere. Which currently is true.

Isnt there some method to "fingerprint" a PC/MAC to identify it? or is that beyond my reality.
if your switches support 802.1 authentication and you're ready to set it up, you might find a working solution.

the questions pertaining to doing this are :
- do your switch support it ? -> yes HP4000 does
- does it give you the possibility to restrict devices that do not do 802.1 to a different VLAN. many devices will just close the port. dunno about yours.
- if not, can you dedicate a few ports for authorised devices and tell your users that for example port 1 and 2 are reserved for a list of devices and they are free to use other ports for internet access
- do your devices support 802.1 ? anything that runs a regular OS does does, most appliances do not, printers usually do
- are you ready to set this up (it requires quite a lot of work)

was it what you were referring to when you wrote about port security ? i understood the security that will close ports when it detects duplicate macs or IPs

if i understand correctly, you have a single switch and a single router and long cables going all over the place and a single cable in many places ?


another idea could be to configure VLAN virtual interfaces on each equipment you need to protect if feasible. the security level is quite weak, but a malicious user has no reason to guess about such a setup if you configure the switch ports to both allow that specific VLAN and the default one. i think it might be the simplest way.

what equipments do you need to protect ? like above, most OSes have support for virtual vlan interfaces (and the hardware as well if you are lucky) but most appliances do not.
Salad-DodgerAuthor Commented:
It looks like fingerprinting is the only real solution, and its fairly impractical here. I will step back and reflect on all this. thank you fore the feedback. I may have to hire this out.
NPAS would only be meaningful in this context if setup on top of somethinh like 802.1 port security... and useless if such was the case because 802.1 would be enough to achieve your goal.

best regards
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.