Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

Re: Locking down Ports and DHCP
From: "Dahl, Kevin" <Kevin.Dahl () ARS USDA GOV>
Date: Fri, 6 Aug 2010 12:52:23 -0600

Thanks Tim..... The remediation server is one option, however it seems like that would be more geared towards guests, 
or a guest network. Which as you say, who cares.....

But... how would I push patches to my own desktops during non-production hours if I have 802.1x implemented on my 
network?   (Assuming users shutdown or logout each night)


K-Dee


-----Original Message-----
From: pauldotcom-bounces () mail pauldotcom com [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Bugbear
Sent: Thursday, August 05, 2010 5:31 PM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Locking down Ports and DHCP

Kevin

I'm not 100% sure what your asking. In my situation, we just check if the computer/user has valid domain creds, if not 
we quarantine them.
Not valid means they are guest and not my responsibility to backup or patch.

If you are doing full NAC/NAP with remediation, then those products often provide a remediation server that offers 
patches/links to patches (i.e. latest WIN patches, virus defs). Problem is if user/guest doesn't have admin rights then 
what? In my opinion, just easier to have guest jacks with air gaped network (could do vlan;ing if you prefer) and 
limited internet access available.

Hope this clarifies some things.

Tim

On Thu, Aug 5, 2010 at 2:26 PM, Dahl, Kevin <Kevin.Dahl () ars usda gov> wrote:
How do those of you who are using 802.1x solve the problem with 
patching and/or nightly backups ??

K-Dee


-----Original Message-----
From: pauldotcom-bounces () mail pauldotcom com
[mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Jody & 
Jennifer McCluggage
Sent: Thursday, July 29, 2010 8:00 PM
To: 'PaulDotCom Security Weekly Mailing List'
Subject: Re: [Pauldotcom] Locking down Ports and DHCP

I agree with Tim about recommending  802.1x.  You can set it up so 
that the switches will not allow access until the end-user 
authenticates themselves on the network (via Windows RADIUS service, 
IAS, communicating with a domain controller).  The 8021.X clients on 
Windows XP SP3 and higher are pretty stable (it will work on lower 
versions but
SP3 added some 802.1x improvements). As Tim pointed out, more and more 
embedded devices such as printers are now also supporting 802.1x.  For 
other embedded devices (older printers, copiers, UPS,  etc), you can 
utilize MAC address filtering.  This is less of an issue with these 
since they tend to be fairly static (i.e.
they won't be moving around much) and usually have some additional 
compensating physical controls.  You will probably want to use MAC 
Address filtering with your servers too. 802.1x tends not to work well 
with servers since it requires authentication prior to granting port 
access.  If someone has physical access to the ports that your servers 
are using, port authentication is the least of your problems!

Also as Tim said, keep in mind that you are adding some additional 
moving parts so more things can go wrong (8021.x client issues, switch 
issues, or RADIUS server issues - over the years I have had to deal 
with all three at one time or another but nothing real major).  That 
being said, except for the occasional minor headache,  I have had very 
little issues with it over the years. Also keep in mind that the 
workstation will not have access to the network until the user 
authenticates with an approved domain level account.

Let me know If you want some examples on how to set up using Cisco 
switches and Windows workstations and radius/domain server.

Jody



-----Original Message-----
From: pauldotcom-bounces () mail pauldotcom com
[mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Bugbear
Sent: Thursday, July 29, 2010 9:04 AM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Locking down Ports and DHCP

First and foremost get your company policies and procedures in place 
if you have not yet. Also, you will need "buy in" from the support 
staff because their helpdesk calls are going to increase.

With that said, I would look at 802.1x

Assuming you are a Windows shop and your switches support it (most 
modern switches do), take a look. I have leveraged it somewhat 
successfully. I personally do not do any NAP/NAC (remediation), I just 
very simply use Radius to auth the domain computers and domain users.
If joined to the domain and a member of this group then they are on 
the production LAN, if not the switches will dynamically VLAN them to 
a Quarantine VLAN.

What you do with "guests" is up to you from there. You can wait for 
the helpdesk call or you could provide restricted internet access. If 
the later, consider the appropriate egress filtering, logging, 
alerting, IDS, etc...
Also consider using PAT to give that network a unique public IP. 
Lastly, consult your legal team to draw up some language for "guests" 
to click through via Web Auth/Captive Portal (most modern switches 
support this too).
The language should note that your Company is not responsible / liable 
and you hold the right to monitor unencrypted traffic on the network 
(careful with what type of monitoring - headers verse full content)

Most Printers, Scanner, AP's etc.. support 802.1x these days. An 
alternative (not a very good one) would be port security via the mac 
addr (but that will only keep the layman off).

Now the part your probably going to struggle with. The supplicant.
There are many. MS Windows XP SP3 and above has one built in and 
supports GPO control. There are also products like Juniper/Odyssey and 
Cisco Clean Access (Which i think just got EOL).

They all suck (excuse me have their limitations). The Windows 
supplicant in Windows 7 seems to have been approved quite a bit 
however. In XP there were issues with legit end users being temp 
flipped to quarantine (while radius auth's them < the default 
behavior). Once flipping back and the DHCP client will sometimes not 
get an updated IP for that subnet. To date I have not found a workaround, except Windows 7.

Also, if your admins are using logon scripts and not doing so through 
GPO they will need to as they will not run post Auth

Other tech out there includes tracking/alerting after the fact 
(someone being on your network).

Hope this helps

Tim



On Wed, Jul 28, 2010 at 5:36 PM, Tyler Robinson 
<pcimpressions () gmail com>
wrote:
I am coming into an environment of over 1000 clients everything is 
setup DHCP except printers and servers I am trying to work towards a 
much more secure network but am at a loss of how to start locking 
down

switches and DHCP I want to make sure no one is plugging in 
unauthorized devices or rogue devices for that matter so just 
wondering how everyone else is securing there networks as always 
pauldotcom listeners are the best and all help is welcomed.

TR

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]