Slav Pigo... I'm going to massacre his name so I won't even say it....
(and you think Dr. J's name is bad you haven't seen Slav's last name)
Slav pointed out a weakness in 802.1x wired deployments that can leave
that network open for attacks. Thus the recommendation is to carefully
review wired deployments of 802.1x.
Wireless it does not have this weakness.
Brian Puhl wrote:
Good point Dean - Yes, we use 802.1x for wireless access, and IPSec once the
clients are on the network for host level access.
I read the thread as using 802.1x for accessing the wired networks, which I
know several companies do. Microsoft does not use it for wired, for that we
rely on IPSec and, in the future, NAP.
~Brian
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Saturday, February 04, 2006 9:34 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Getting better control over DHCP
Nod, thanks for the confirmation ... I stand corrected Susan.
Out of interested Brian, what do you use for wireless? I'm certain it
required a cert. that I couldn't obtain since that in turn required domain
membership?
As to the original question, 802.1x remains a viable solution. I've not
seen IPsec implemented to secure initial address leases though I can
envisage ways in which that could be achieved.
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Puhl
Sent: Saturday, February 04, 2006 12:01 AM
To: [email protected]
Subject: RE: [ActiveDir] Getting better control over DHCP
At Microsoft we do not use 802.1x, so if you were to walk up to a port on
our corporate network and plug in, you would get an IP and have access to
"some" things.
What we do instead is "domain isolation" via IPSec, which means that
machines which are not joined to an MSIT managed domain (basically, our
production forests) cannot establish connections with machines that are in
our domains.
Rather than deploying 802.1x, we are in the process of implementing Network
Access Protection, which is a Longhorn/Vista feature. Basically when a
machine connects to the network it is quarantined and must pass a "health
check" (think patches, AV, and any other config we want to mandate) before
they are released from quarantine. We haven't deployed this widely, it's
still in an engineering phase, however this is the direction we're taking
our network controls.
The "connect to the network using plastic thingy with chip" would be our VPN
solution, which we implemented. Effectively it's NAP as described above,
but requires smartcards (plastic thingys) for authentication and the VPN
client performs the health check.
Brian Puhl
Microsoft IT
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Friday, February 03, 2006 7:19 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Getting better control over DHCP
Microsoft uses 802.1x auth. I believe ... as do many.
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Friday, February 03, 2006 8:42 PM
To: [email protected]
Subject: Re: [ActiveDir] Getting better control over DHCP
Can't this be done with ...what is MS using? Is it Ipsec and smartcard
authentication?
You go to Redmond, stick in a rj45 and unless you have a lovely plastic
thingy with a chip you don't get access on corpnet.
joe wrote:
There is nothing you can do around a DHCP server that will really help
you as you point out. You simply need to plug into a port, enter any
IP address or let one of the 169 addresses kick in and turn on a
sniffer and you start seeing enough traffic to figure out where to
come up with a random IP address at. All the DHCP server is is a
helper, it doesn't give you network access, it helps you find it. This
type of thing needs to be controlled either at the network level where
the switches say, sorry you can't route packets anywhere but this
private secured network or you need to make all proper network traffic
secure with some kind of tunneling/vpn type tech. The later is quite
popular for companies with wireless, you get on the wireless network
and then have to VPN into the corporate network. That way anyone who
compromises the WAPs still doesn't get anything but a network and all
traffic from everyone properly on the network is encrypted. At best
the company may allow you to surf out to the internet, this is
especially good for companies who have visitors from other companies
dropping by their facilities or are in close vicinity to other
companies who may pick up their WAPs.
You really want to start looking into Network Quarantine//Network
Access Protection/etc. It is not a simple whip out in an hour
solution, it will take forethought and possibly upgrades of network
infrastructure and your machines to do it correctly. But with it you
can set specific policy on who gets to get on the real network and who
doesn't, this includes things like domain membership as well as what
software is installed on machines and virus definition levels or OS
fix levels, etc. You write the policy that the clients have to meet or
else they don't get anything but a dead network.
I would recommend going to google, typing in network quarantine and
hit enter. You will almost certainly see several hits on MS because
they have been spending a lot of time and energy the last 4 or so
years working on this stuff and getting all of the right hardware
people together to make a good solution. They had some preliminary
stuff done a couple of years ago that people were really interested in
but started redesigning some of it to make it more flexible/capable. I
expect most of what happens in this space will most likely fall out of
Cisco and Microsoft.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
----------------------------------------------------------------------
--
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of *Edwin
*Sent:* Friday, February 03, 2006 7:55 PM
*To:* [email protected]
*Subject:* RE: [ActiveDir] Getting better control over DHCP
Assigning IP's based off of MAC addresses would be a huge headache!
Besides, just as you said the "network savvy" person can easily find
out the IP range if needed and assign them self an IP and spoof the
MAC if needed.
If something like this is possible, I would like to have a more
concrete solution.
But thank you very much for your reply.
Edwi
----------------------------------------------------------------------
--
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of *Marc A.
Mapplebeck
*Sent:* Friday, February 03, 2006 7:38 PM
*To:* [email protected]
*Subject:* RE: [ActiveDir] Getting better control over DHCP
I'm not sure if it's the best way to do it, but you could set your
entire scope to be in one exclusion range, then assign static DHCP to
authorised MACs. After that, for added security, you could set a
second scope to give out leases outside your network range so that
unauth ppl will get a lease, but not be able to see anybody, only
downside to that would be that the network savvy user could look under
network settings and see what the IP of the DHCP server is and then
assign a static IP within that range. HTH - Marc
----------------------------------------------------------------------
--
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of *Edwin
*Sent:* February 3, 2006 20:13
*To:* [email protected]
*Subject:* [ActiveDir] Getting better control over DHCP
Is it possible within a domain on an authorized DHCP server to
restrict what machines get a DHCP IP Address? For example, I want to
prevent someone from bringing in an unauthorized laptop and getting an
IP Address on the network. I want it to be so that if the machine is
not a part of the domain, it does not get any network connectivity
from the DHCP server.
Thanks,
Edwin
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
