Remote users.....how'd you protect the LAN's when they come in
#1
Scooby Regular
Thread Starter
Join Date: May 2001
Location: Scotland
Posts: 4,580
Likes: 0
Received 0 Likes
on
0 Posts
I'm after ideas or suggestions to how to protect from remote office users coming into any office across the country (over 150) and plugging directly into a LAN port and picking up a DHCP address and potentially distributing a DOS attack by a virus they are carrying.
I know there's plenty of solutions to stop the virus in the first place, patch installations etc, but this is on a level where the user has no IT knowledge, probably has no IT support staff looking after his/her system.
Is there any kinda "virtual" firewall products that anyones used to quarantine systems, perhaps locking done to known mac addresses before an IP address is allocated by DHCP.
This would preferably not involve any client software on the PC's, installation on the LAN listening is the solution I'm after.
Thanks in advance for any suggestions!
I know there's plenty of solutions to stop the virus in the first place, patch installations etc, but this is on a level where the user has no IT knowledge, probably has no IT support staff looking after his/her system.
Is there any kinda "virtual" firewall products that anyones used to quarantine systems, perhaps locking done to known mac addresses before an IP address is allocated by DHCP.
This would preferably not involve any client software on the PC's, installation on the LAN listening is the solution I'm after.
Thanks in advance for any suggestions!
#2
Scooby Regular
Join Date: May 2000
Location: MY00,MY01,RX-8, Alfa 147 & Focus ST :-)
Posts: 10,371
Likes: 0
Received 0 Likes
on
0 Posts
Hmmm - not easy this one. You could look at Intrusion Detection Systems that are designed to look for 'unusual' traffic patterns etc. But this isn't going to be cheap if you are going to deploy it across 150 offices.
You could also use intranet firewalls placed at various sites around your network. The idea being to segment the network making it easier to isolate a group of sites. Placing a firewall at every site would, again, be very expensive. Netscreen do some quite clever stuff on their firewalls regarding the use of zones to split up networks.
I'll have a think and see if I can come up with anything else.
Chris
You could also use intranet firewalls placed at various sites around your network. The idea being to segment the network making it easier to isolate a group of sites. Placing a firewall at every site would, again, be very expensive. Netscreen do some quite clever stuff on their firewalls regarding the use of zones to split up networks.
I'll have a think and see if I can come up with anything else.
Chris
#3
Scooby Regular
Join Date: May 2000
Location: MY00,MY01,RX-8, Alfa 147 & Focus ST :-)
Posts: 10,371
Likes: 0
Received 0 Likes
on
0 Posts
A few more thoughts..
Do the users access central databases and servers? Do they actually need to be allowed to go everywhere on the network?
Chris
Do the users access central databases and servers? Do they actually need to be allowed to go everywhere on the network?
Chris
#5
Scooby Regular
Join Date: Mar 2000
Location: Gloucestershire, home of the lawnmower.
Posts: 4,531
Likes: 0
Received 0 Likes
on
0 Posts
Hardware solution ?
I've seen little locks that plug into network access points to stop people plugging in their own cables. I've also seen locks that lock authorised cables into the wall sockets and PC at other end. Mind you, try as I might, I can't actually find any online at the moment.
Might work out cheaper than going for a software option ?
Cheers
Ian
I've seen little locks that plug into network access points to stop people plugging in their own cables. I've also seen locks that lock authorised cables into the wall sockets and PC at other end. Mind you, try as I might, I can't actually find any online at the moment.
Might work out cheaper than going for a software option ?
Cheers
Ian
#6
The best solution I can think of is using 802.1x authentication. This is built into winXP and can be added to win2k using a simple service pack. You use 802.1x to authenticate to the switch when you log into your domain on the network. The switch then authenticates the user and grants access to the rest of the network. All switch ports will be placed in a guest vlan before being assigned to the correct vlan on loggin. As an additional security step the port is also locked down to the MAC address of the client to prevent the use of local hubs to circumvent port level authentication security.
This complete operation is totaly transparent to the user, they just log onto the network as usuall.
The only snag is your switch needs to support 802.1x.
Si
This complete operation is totaly transparent to the user, they just log onto the network as usuall.
The only snag is your switch needs to support 802.1x.
Si
Trending Topics
#8
Try elaborating on tools like arpwatch.
I hardcode all the mac addressses we have into the DHCP server. An unknown mac address will not be assigned an IP. Its very quick to do. Write a quick perl script to broadcast arp requests to all machines currently on the different subnets (making sure you know no 'alien' machines are connected at the time) and store the output in a regex'd file.
I know there are issues of people spoofing macs, and I do have other tricks implemented to stop this. Unfortunatly, I can't tell you how I go about this as I am not willing / at liberty to release these methods for security purposes.
I hardcode all the mac addressses we have into the DHCP server. An unknown mac address will not be assigned an IP. Its very quick to do. Write a quick perl script to broadcast arp requests to all machines currently on the different subnets (making sure you know no 'alien' machines are connected at the time) and store the output in a regex'd file.
I know there are issues of people spoofing macs, and I do have other tricks implemented to stop this. Unfortunatly, I can't tell you how I go about this as I am not willing / at liberty to release these methods for security purposes.
Thread
Thread Starter
Forum
Replies
Last Post
Mattybr5@MB Developments
Full Cars Breaking For Spares
28
28 December 2015 11:07 PM
Mattybr5@MB Developments
Full Cars Breaking For Spares
12
18 November 2015 07:03 AM
Sub-Subaru
General Technical
1
28 September 2015 12:47 PM