-
It all comes down to your risk asessment versus your business needs. It sounds as if currently the internal LAN is considered a 'safe' network and is not treated as an unsecured network or the internet, really its just not designed with this kind of access restriction in mind. You could employ some of the tricks mentioned here like static ARP tables with MAC locking and such or router ACL's but this will be vulnerable to spoofing and other attacks because you are not really requiring users who are physically in the network to properly authenticate themselves to gain network access. If you want to do this you would have to operate on the assumption that your wired lan is insecure and hostile which is a horse of another color. This could be done by treating creating an insecure segement of the network and the use something like 802.1X to force authentication via EAP/RADIUS or LDAP or something before access is granted. This way not only must the user have access to the network but is then verified by something they know or possess (aka password, certificate,smart card etc)
-Maestr0
-
I was refering exactly to what Maestr0 just mentionned: 802.1x and/or VPN (although this is admitedly not only machine auth but a bit user auth in it too, but that's what I meant...)
BTW, I gotta say this is perhaps the most interesting thread I've seen in a *long* while! Keep it up!
Ammo
-
Feh. Those questions suck. When it started "calculating" the score I decided I didn't want to know.
-
I'm a bit unclear on the actual environment we're discussing here, but here it goes….
The College provides a network drop to anyone with a laptop.
What are the needs or concerns of the administration?
Do they even care that this portion of their network is compromised?
Do they have a secured area of their net?
Are they willing to make the necessary changes to turn it into a secure network? Freedom of information has it’s cost, and the first one is security. In a wide open wired environment the best they can do really is harden their servers, cross their fingers and pray. If they want to close up the network the network the first thing they need to do is separate secured from unsecured segments and build a solid DMZ. Firewall, Enterprise management, IDS, and Forensic routines need to be put in place and strictly enforced.
Are we discussing a wireless network? if so, than secure the wireless from the wired. Put a strict firewall in place along with a good network management tool such as CA’s Unicenter and E-Trust or HP’s OpenView and only allow connection to the LAN via VPN.
Why a VPN?
WEP or WEP+ (46-bit or 128-bit) is weak and can be cracked in hours while MAC address filtering is broken in minutes and is a management nightmare.
A VPN however is relatively secure. If you use a hardware solution such as Checkpoint’s with a regularly changing cipher, or a hardware/biometric based solution you can get a very secure line that takes some serious work to break into. While it does add to your overhead it all depends on how secure you want your traffic to be, and honestly at 1-2 Mbs the overhead isn’t that noticeable.
FyreMouse
-
Sorry I couldn't get back to this thread earlier. The end of the week can be wicked. [Thursday and Friday are the weekend here].
Thanx for the marvellous info Maestro, Ammo and Fyremouse. In a bid to clear things up, here at the college, we have two different subnets, one 192.168.x.x for undergraduate student labs with restrictive access to machines, and port security enabled on all switches. Log in to these machines is thru a central authentication mechanism. The other, a 172.16.x.x for faculty and graduate research labs, where of course, each individual has complete admin rites to his machine.
When starting this thread, my focus was on this second subnet, or rather its IP management. Faculty/Grad Students were just picking off free IPs off the network, and assigning it to themselves, instead of submitting their MACs to the admin and requesting an IP. Slarty was great help in suggesting tying the router's ACLs into the DHCP IP lists. Then along come ammo and cgKanchi talking all about how port security can be bypassed with MAC spoofing, and in turn giving credence to the following nasty scenario: [in turn making the topic all the more interesting ;) ]
One fine nite, some smart undergrad brings his laptop, spoofs IP/MAC of a legit machine, plugs into the switch, thus bypasses port security and the admin's got a completely unsecured and possibly hostile box on the network. The lad could do serious damage, especially like breaking into faculty machines.
I don't know what kind of network authentication runs in the undergrad labs, I'm just a grad student working as an aide to the college's hardware support group. But the fun part is, I told the network coordinator about the scenario, and he said I could try it out over the weekend.. of course, short of breaking into faculty machines.... does sound promising, will get back to all you splendid folks later on that.
And Hey Fyremouse, really admired ur post, especially regarding what you said bout wireless Lans and integrating them into the existing wired one, I'd like to talk more about that. Okay if I pm you bout that sometime?
Thanx people,
_Scim_
-
wow, now thats a brainstormer. even i never tought of that. now that mac and ip spoofing comes into play. the ONLY thing i can think of is to agree with ur initial idea, just make a new subnet.
i think im loosing it.. its been a year since ive been here and im loosing it.. *shakes his head and walks off*
-
tho a VPN is a novell idea, i did some reseach on it a year ago and it got me interested. i even attempted to form a VPN Reseach Team and around 6-7 AOers volunteered. but it didnt happen, mainly coz i couldnt get in contact with the people so i did the research on my own. i think i still have some of the docs and papers i collected during my research. so if u wanna spend some extra bread, go with FyreMouse's idea.
-
The VPN solution has become my recomendation when I talk to clients if they ask about a WLAN.
It's just simple logic, there is an overhead for cost when employing the solution, but it's a an easy question: what is more important to you? Where do you draw the line? The last thing a network admin wants to consider is the possibility that joe blow goes out, buys himself a nifty linksys router and plugs it into the corporate network.
I believe I saw some numbers from either Gartner or at WiFi Planet recently that said 90% of all laptops in use by 2005 will have WiFi capabilities built in. If I'm an Admin that scares the hell out of me.
So what do you do? Provide a WiFi solution but secure it. And today that means a VPN. LEAP is still vulnerable, WEP is worthless. There are other solutions but I haven't been very impressed by them. Along with VPN, I would add in an IDS solution and have a good forensics package ready in case of an intrusion. And in an extended environment (multiple access points) I would put something like a ReefEdge solution in to provide a seemless transition and a further level of security between the wired and the wireless.
Just a few thoughts,
Happy Holidays,
FyreMouse
-
Ok, while I agree that a VPN would probably be the ultimate solution, it would probably be considered "jumping the gun" by many...
If I may, I'd like to go back and ask what was the exact objective you (we!) were trying to accomplish by strongly controling MAC/IP distribution?
It seems to me that further subnetting and vlaning at the distribution level and delegating responsibitliy of proper use "enforcement" to grad labs managers might actually be enough...
("divide and conquer" comes to mind!).
Ammo
PS: Merry Christmas to all!
-
I agree with fyremouse, you need to decide what your risk is in this subnet, if your afraid of rogue machines, in a scenario where your giving them physical access to your network, no amount of secure ip management is going to stop them, you need to treat it as somewhat of a dmz and use strict acl's, perhaps running a stateful firewall between subnets. Even with the vpn access scenario, a student can get the necessary info to connect to the vpn from one of the school's computer and then set it up on his "rogue" laptop. Social engineering a fellow students account isn't too hard either which really bypasses any tracking and/or authentication measures.
Damage control is the keyword here. A determined individual will be able to reasonably bypass any access restrictions because they are semi-trusted in this situation. You want to try and make it a real pain in the neck to do much with their access.
Also putting an ids on the undergrad subnet would make it pretty easy to track people down in the act of mischievious behavior, and slap them with a warning.
Personally I don't see such a big risk here to warrant such a measure. I think schools should encourage exploration, with guidelines and measures to prevent any real damage. I mean you go to school for knowledge exploration and learning, there should be more openess and freedom, students finding security holes should feel free to discuss them with network operators rather than living in fear of being suspended.
My 00000010 cents.
