mega_stream

I'm after ideas or suggestions to how to protect from remote office users coming into any office across the country (over 150) and plugging directly into a LAN port and picking up a DHCP address and potentially distributing a DOS attack by a virus they are carrying.

I know there's plenty of solutions to stop the virus in the first place, patch installations etc, but this is on a level where the user has no IT knowledge, probably has no IT support staff looking after his/her system.

Is there any kinda "virtual" firewall products that anyones used to quarantine systems, perhaps locking done to known mac addresses before an IP address is allocated by DHCP.

This would preferably not involve any client software on the PC's, installation on the LAN listening is the solution I'm after.

Thanks in advance for any suggestions!

Chris L

Hmmm - not easy this one. You could look at Intrusion Detection Systems that are designed to look for 'unusual' traffic patterns etc. But this isn't going to be cheap if you are going to deploy it across 150 offices.

You could also use intranet firewalls placed at various sites around your network. The idea being to segment the network making it easier to isolate a group of sites. Placing a firewall at every site would, again, be very expensive. Netscreen do some quite clever stuff on their firewalls regarding the use of zones to split up networks.

I'll have a think and see if I can come up with anything else.

Chris

Chris L

A few more thoughts..

Do the users access central databases and servers? Do they actually need to be allowed to go everywhere on the network?

Chris

mega_stream

Chris

Users access servers from anywhere to anywhere!

Nothings easy

IWatkins

Hardware solution ?

I've seen little locks that plug into network access points to stop people plugging in their own cables. I've also seen locks that lock authorised cables into the wall sockets and PC at other end. Mind you, try as I might, I can't actually find any online at the moment.

Might work out cheaper than going for a software option ?

Cheers

Ian

SiCotty

The best solution I can think of is using 802.1x authentication. This is built into winXP and can be added to win2k using a simple service pack. You use 802.1x to authenticate to the switch when you log into your domain on the network. The switch then authenticates the user and grants access to the rest of the network. All switch ports will be placed in a guest vlan before being assigned to the correct vlan on loggin. As an additional security step the port is also locked down to the MAC address of the client to prevent the use of local hubs to circumvent port level authentication security.

This complete operation is totaly transparent to the user, they just log onto the network as usuall.

The only snag is your switch needs to support 802.1x.

Si

stevencotton

This should be part of your Acceptable Use Policy rather than looking for a solution Microsoft-style.

Gedi

Try elaborating on tools like arpwatch.
I hardcode all the mac addressses we have into the DHCP server. An unknown mac address will not be assigned an IP. Its very quick to do. Write a quick perl script to broadcast arp requests to all machines currently on the different subnets (making sure you know no 'alien' machines are connected at the time) and store the output in a regex'd file.

I know there are issues of people spoofing macs, and I do have other tricks implemented to stop this. Unfortunatly, I can't tell you how I go about this as I am not willing / at liberty to release these methods for security purposes.