Thanks everyone for your replies. I
can see that I have a lot of discussion to look forward to with the network
engineers. I definitely have enough information to get me started in
making a good decision.
If only Longhorn and Vista
were released already then it would seem as though my question could be more
easily answered.
Thank you again everyone.
Edwin
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett
Sent: Saturday, February 04, 2006
9:55 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Getting
better control over DHCP
As somebody earlier mentioned, Cisco has
the Port Security option on their switches, if you happen to be running a Cisco
network.
Once a device is plugged in, only that
device can use the port. Unplug it and plug something else in and the port
shuts down.
In the same vein, Cisco has Network Access
Control (NAC) for doing the antivirus checks, patch checks, etc. Your laptop
doesn’t meet certain criteria, it isn’t allowed on the network.
Al
-----Original Message-----
From: Al Mulnick [mailto:[EMAIL PROTECTED]
Sent: Saturday, February 04, 2006
6:38 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Getting
better control over DHCP
Edwin, I'm sure you've noticed by now but joe and
Brian (both) have given you a really good idea of what you need to do to solve
this. As indicated, to achieve your goal of preventing any unauthorized
access to the network, you'd pretty much have to have control at the phys
layer. By that I mean you'd have to control who/what can gain access
there.
I think you'll want to plan (as joe suggests) because
issues such as temporary access i.e. a vendor is working on site for 2 weeks
and requires limited access to the internet for the job function, or somebody
needs to roam to another site where they don't have access. You also need
something that's as automated as you can get it because you certainly can't
scale a solution that requires knowing something like a MAC; ask any firewall
admin that has had to do that :) Even if you did know the MAC, that's not
enough to secure your network IMHO.
The NAP idea coupled with some ideas around multiple
networks would likely get you much closer to solving your problem(s). I don't
view a solution that requires a new OS os special software to be a solution
however. Too many variables that need to work i.e. linux laptops, old-ish
clients (XP is getting long in tooth and many haven't even upgraded to that
yet!) Nope, to me it needs to be isolated from the OS that wants access
and not require specialized client software. It should include
authenticated access and a method to allow access long enough to become
authenticated.
My $0.04 worth, as if you needed it.
On 2/4/06, Brian Puhl <[EMAIL PROTECTED]> wrote:
At Microsoft we do not use 802.1x, so if you were to
walk up to a port on
our corporate network and plug in, you would get an IP and have access to
"some" things.
What we do instead is "domain isolation" via IPSec, which means that
machines which are not joined to an MSIT managed domain (basically, our
production forests) cannot establish connections with machines that are in
our domains.
Rather than deploying 802.1x, we are in the process of implementing Network
Access Protection, which is a Longhorn/Vista feature. Basically when
a
machine connects to the network it is quarantined and must pass a "health
check" (think patches, AV, and any other config we want to mandate) before
they are released from quarantine. We haven't deployed this widely,
it's
still in an engineering phase, however this is the direction we're taking
our network controls.
The "connect to the network using plastic thingy with chip" would be
our VPN
solution, which we implemented. Effectively it's NAP as described
above,
but requires smartcards (plastic thingys) for authentication and the VPN
client performs the health check.
Brian Puhl
Microsoft IT
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]]
On Behalf Of Dean Wells
Sent: Friday, February 03, 2006 7:19 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Getting better control over DHCP
Microsoft uses 802.1x auth. I believe ... as do many.
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Friday, February 03, 2006 8:42 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Getting better control over DHCP
Can't this be done with ...what is MS using? Is it Ipsec and smartcard
authentication?
You go to Redmond,
stick in a rj45 and unless you have a lovely plastic
thingy with a chip you don't get access on corpnet.
joe wrote:
> There is nothing you can do around a DHCP server that will really help
> you as you point out. You simply need to plug into a port, enter any
> IP address or let one of the 169 addresses kick in and turn on a
> sniffer and you start seeing enough traffic to figure out where to
> come up with a random IP address at. All the DHCP server is is a
> helper, it doesn't give you network access, it helps you find it. This
> type of thing needs to be controlled either at the network level where
> the switches say, sorry you can't route packets anywhere but this
> private secured network or you need to make all proper network traffic
> secure with some kind of tunneling/vpn type tech. The later is quite
> popular for companies with wireless, you get on the wireless network
> and then have to VPN into the corporate network. That way anyone who
> compromises the WAPs still doesn't get anything but a network and all
> traffic from everyone properly on the network is encrypted. At best
> the company may allow you to surf out to the internet, this is
> especially good for companies who have visitors from other companies
> dropping by their facilities or are in close vicinity to other
> companies who may pick up their WAPs.
> You really want to start looking into Network Quarantine//Network
> Access Protection/etc. It is not a simple whip out in an hour
> solution, it will take forethought and possibly upgrades of network
> infrastructure and your machines to do it correctly. But with it you
> can set specific policy on who gets to get on the real network and who
> doesn't, this includes things like domain membership as well as what
> software is installed on machines and virus definition levels or OS
> fix levels, etc. You write the policy that the clients have to meet or
> else they don't get anything but a dead network.
> I would recommend going to google, typing in network quarantine and
> hit enter. You will almost certainly see several hits on MS because
> they have been spending a lot of time and energy the last 4 or so
> years working on this stuff and getting all of the right hardware
> people together to make a good solution. They had some preliminary
> stuff done a couple of years ago that people were really interested in
> but started redesigning some of it to make it more flexible/capable. I
> expect most of what happens in this space will most likely fall out of
> Cisco and Microsoft.
> joe
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
> ------------------------------------------------------------------------
> *From:* [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]
*On Behalf Of *Edwin
> *Sent:* Friday, February 03, 2006 7:55 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Getting better control over DHCP
>
> Assigning IP's based off of MAC addresses would be a huge headache!
> Besides, just as you said the "network savvy" person can easily
find
> out the IP range if needed and assign them self an IP and spoof the
> MAC if needed.
>
> If something like this is possible, I would like to have a more
> concrete solution.
>
> But thank you very much for your reply.
>
> Edwi
>
> ------------------------------------------------------------------------
>
> *From:* [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]
*On Behalf Of *Marc A.
> Mapplebeck
> *Sent:* Friday, February 03, 2006 7:38 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Getting better control over DHCP
>
> I'm not sure if it's the best way to do it, but you could set your
> entire scope to be in one exclusion range, then assign static DHCP to
> authorised MACs. After that, for added security, you could set a
> second scope to give out leases outside your network range so that
> unauth ppl will get a lease, but not be able to see anybody, only
> downside to that would be that the network savvy user could look under
> network settings and see what the IP of the DHCP server is and then
> assign a static IP within that range. HTH - Marc
>
> ------------------------------------------------------------------------
>
> *From:* [EMAIL PROTECTED]
> [mailto:
[EMAIL PROTECTED]] *On Behalf Of *Edwin
> *Sent:* February 3, 2006 20:13
> *To:* ActiveDir@mail.activedir.org
> *Subject:* [ActiveDir] Getting better control over DHCP
>
> Is it possible within a domain on an authorized DHCP server to
> restrict what machines get a DHCP IP Address? For example, I want to
> prevent someone from bringing in an unauthorized laptop and getting an
> IP Address on the network. I want it to be so that if the machine is
> not a part of the domain, it does not get any network connectivity
> from the DHCP server.
>
> Thanks,
>
> Edwin
>
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
