I like two approaches: 802.1x+NAP or generalize VPN (with NAP), especially for companies who frequently have guests in their network.
NAP as implemented today in VPN is not about security, it's about health checking. Somebody who want's to get into the network would be able to do so if he's familiar with NAP. I haven't tested NAP in LH yet - maybe it changed. But the current implementation for VPN only requires to run a command with a password which is clear-text in the check-health-script. As soon as you run that command you'll be switched from Quarantine to production. 802.1x-Authentication works for wired and wireless networks and requires client side certificates, so that's a good approach to protect your network. What I mean with generalize VPN (with NAP) is that I also like to approach to put the whole network on the internet, have a firewall between clients and servers, and require a VPN (with NAP) to tunnel to the servers. VPN has different stages of security, and I believe the smartcard-based VPN MS uses is very secure. I really like that solution because it's "corporate guests friendly" - whoever you are expecting for a meeting or presentation can have network access and VPN into his own company if needed, and your employees are also able to gain access and VPN into their company. Gruesse - Sincerely, Ulf B. Simon-Weidner P.S.: Not directed to you Brian, but to the others. This post just fits here after yours ;-) |-----Original Message----- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Brian Puhl |Sent: Saturday, February 04, 2006 6:01 AM |To: [email protected] |Subject: RE: [ActiveDir] Getting better control over DHCP | |At Microsoft we do not use 802.1x, so if you were to walk up |to a port on our corporate network and plug in, you would get |an IP and have access to "some" things. | |What we do instead is "domain isolation" via IPSec, which |means that machines which are not joined to an MSIT managed |domain (basically, our production forests) cannot establish |connections with machines that are in our domains. | |Rather than deploying 802.1x, we are in the process of |implementing Network Access Protection, which is a |Longhorn/Vista feature. Basically when a machine connects to |the network it is quarantined and must pass a "health check" |(think patches, AV, and any other config we want to mandate) |before they are released from quarantine. We haven't deployed |this widely, it's still in an engineering phase, however this |is the direction we're taking our network controls. | |The "connect to the network using plastic thingy with chip" |would be our VPN solution, which we implemented. Effectively |it's NAP as described above, but requires smartcards (plastic |thingys) for authentication and the VPN client performs the |health check. | |Brian Puhl |Microsoft IT | | |-----Original Message----- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells |Sent: Friday, February 03, 2006 7:19 PM |To: Send - AD mailing list |Subject: RE: [ActiveDir] Getting better control over DHCP | | |Microsoft uses 802.1x auth. I believe ... as do many. | |-- |Dean Wells |MSEtechnology |* Email: [EMAIL PROTECTED] |http://msetechnology.com | | |-----Original Message----- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Susan |Bradley, CPA aka Ebitz - SBS Rocks [MVP] |Sent: Friday, February 03, 2006 8:42 PM |To: [email protected] |Subject: Re: [ActiveDir] Getting better control over DHCP | |Can't this be done with ...what is MS using? Is it Ipsec and |smartcard authentication? | |You go to Redmond, stick in a rj45 and unless you have a |lovely plastic thingy with a chip you don't get access on corpnet. | | | |joe wrote: | |> There is nothing you can do around a DHCP server that will |really help |> you as you point out. You simply need to plug into a port, enter any |> IP address or let one of the 169 addresses kick in and turn on a |> sniffer and you start seeing enough traffic to figure out where to |> come up with a random IP address at. All the DHCP server is is a |> helper, it doesn't give you network access, it helps you |find it. This |> type of thing needs to be controlled either at the network |level where |> the switches say, sorry you can't route packets anywhere but this |> private secured network or you need to make all proper |network traffic |> secure with some kind of tunneling/vpn type tech. The later is quite |> popular for companies with wireless, you get on the wireless network |> and then have to VPN into the corporate network. That way anyone who |> compromises the WAPs still doesn't get anything but a |network and all |> traffic from everyone properly on the network is encrypted. At best |> the company may allow you to surf out to the internet, this is |> especially good for companies who have visitors from other companies |> dropping by their facilities or are in close vicinity to other |> companies who may pick up their WAPs. |> You really want to start looking into Network Quarantine//Network |> Access Protection/etc. It is not a simple whip out in an hour |> solution, it will take forethought and possibly upgrades of network |> infrastructure and your machines to do it correctly. But with it you |> can set specific policy on who gets to get on the real |network and who |> doesn't, this includes things like domain membership as well as what |> software is installed on machines and virus definition levels or OS |> fix levels, etc. You write the policy that the clients have |to meet or |> else they don't get anything but a dead network. |> I would recommend going to google, typing in network quarantine and |> hit enter. You will almost certainly see several hits on MS because |> they have been spending a lot of time and energy the last 4 or so |> years working on this stuff and getting all of the right hardware |> people together to make a good solution. They had some preliminary |> stuff done a couple of years ago that people were really |interested in |> but started redesigning some of it to make it more |flexible/capable. I |> expect most of what happens in this space will most likely |fall out of |> Cisco and Microsoft. |> joe |> -- |> O'Reilly Active Directory Third Edition - |> http://www.joeware.net/win/ad3e.htm |> |> |---------------------------------------------------------------------- |> -- |> *From:* [EMAIL PROTECTED] |> [mailto:[EMAIL PROTECTED] *On Behalf Of *Edwin |> *Sent:* Friday, February 03, 2006 7:55 PM |> *To:* [email protected] |> *Subject:* RE: [ActiveDir] Getting better control over DHCP |> |> Assigning IP's based off of MAC addresses would be a huge headache! |> Besides, just as you said the "network savvy" person can easily find |> out the IP range if needed and assign them self an IP and spoof the |> MAC if needed. |> |> If something like this is possible, I would like to have a more |> concrete solution. |> |> But thank you very much for your reply. |> |> Edwi |> |> |---------------------------------------------------------------------- |> -- |> |> *From:* [EMAIL PROTECTED] |> [mailto:[EMAIL PROTECTED] *On Behalf Of *Marc A. |> Mapplebeck |> *Sent:* Friday, February 03, 2006 7:38 PM |> *To:* [email protected] |> *Subject:* RE: [ActiveDir] Getting better control over DHCP |> |> I'm not sure if it's the best way to do it, but you could set your |> entire scope to be in one exclusion range, then assign |static DHCP to |> authorised MACs. After that, for added security, you could set a |> second scope to give out leases outside your network range so that |> unauth ppl will get a lease, but not be able to see anybody, only |> downside to that would be that the network savvy user could |look under |> network settings and see what the IP of the DHCP server is and then |> assign a static IP within that range. HTH - Marc |> |> |---------------------------------------------------------------------- |> -- |> |> *From:* [EMAIL PROTECTED] |> [mailto:[EMAIL PROTECTED] *On Behalf Of *Edwin |> *Sent:* February 3, 2006 20:13 |> *To:* [email protected] |> *Subject:* [ActiveDir] Getting better control over DHCP |> |> Is it possible within a domain on an authorized DHCP server to |> restrict what machines get a DHCP IP Address? For example, I want to |> prevent someone from bringing in an unauthorized laptop and |getting an |> IP Address on the network. I want it to be so that if the machine is |> not a part of the domain, it does not get any network connectivity |> from the DHCP server. |> |> Thanks, |> |> Edwin |> | |-- |Letting your vendors set your risk analysis these days? |http://www.threatcode.com | |List info : http://www.activedir.org/List.aspx |List FAQ : http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |List info : http://www.activedir.org/List.aspx |List FAQ : http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ | |List info : http://www.activedir.org/List.aspx |List FAQ : http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
