Kevin I'm not 100% sure what your asking. In my situation, we just check if the computer/user has valid domain creds, if not we quarantine them. Not valid means they are guest and not my responsibility to backup or patch.
If you are doing full NAC/NAP with remediation, then those products often provide a remediation server that offers patches/links to patches (i.e. latest WIN patches, virus defs). Problem is if user/guest doesn't have admin rights then what? In my opinion, just easier to have guest jacks with air gaped network (could do vlan;ing if you prefer) and limited internet access available. Hope this clarifies some things. Tim On Thu, Aug 5, 2010 at 2:26 PM, Dahl, Kevin <[email protected]> wrote: > How do those of you who are using 802.1x solve the problem with patching > and/or nightly backups ?? > > K-Dee > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Jody & > Jennifer McCluggage > Sent: Thursday, July 29, 2010 8:00 PM > To: 'PaulDotCom Security Weekly Mailing List' > Subject: Re: [Pauldotcom] Locking down Ports and DHCP > > I agree with Tim about recommending 802.1x. You can set it up so that > the switches will not allow access until the end-user authenticates > themselves on the network (via Windows RADIUS service, IAS, > communicating with a domain controller). The 8021.X clients on Windows > XP SP3 and higher are pretty stable (it will work on lower versions but > SP3 added some 802.1x improvements). As Tim pointed out, more and more > embedded devices such as printers are now also supporting 802.1x. For > other embedded devices (older printers, copiers, UPS, etc), you can > utilize MAC address filtering. This is less of an issue with these > since they tend to be fairly static (i.e. > they won't be moving around much) and usually have some additional > compensating physical controls. You will probably want to use MAC > Address filtering with your servers too. 802.1x tends not to work well > with servers since it requires authentication prior to granting port > access. If someone has physical access to the ports that your servers > are using, port > authentication is the least of your problems! > > Also as Tim said, keep in mind that you are adding some additional > moving parts so more things can go wrong (8021.x client issues, switch > issues, or RADIUS server issues - over the years I have had to deal with > all three at one time or another but nothing real major). That being > said, except for the occasional minor headache, I have had very little > issues with it over the years. Also keep in mind that the workstation > will not have access to the network until the user authenticates with an > approved domain level account. > > Let me know If you want some examples on how to set up using Cisco > switches and Windows workstations and radius/domain server. > > Jody > > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Bugbear > Sent: Thursday, July 29, 2010 9:04 AM > To: PaulDotCom Security Weekly Mailing List > Subject: Re: [Pauldotcom] Locking down Ports and DHCP > > First and foremost get your company policies and procedures in place if > you have not yet. Also, you will need "buy in" from the support staff > because their helpdesk calls are going to increase. > > With that said, I would look at 802.1x > > Assuming you are a Windows shop and your switches support it (most > modern switches do), take a look. I have leveraged it somewhat > successfully. I personally do not do any NAP/NAC (remediation), I just > very simply use Radius to auth the domain computers and domain users. > If joined to the domain and a member of this group then they are on the > production LAN, if not the switches will dynamically VLAN them to a > Quarantine VLAN. > > What you do with "guests" is up to you from there. You can wait for the > helpdesk call or you could provide restricted internet access. If the > later, consider the appropriate egress filtering, logging, alerting, > IDS, etc... > Also consider using PAT to give that network a unique public IP. Lastly, > consult your legal team to draw up some language for "guests" to click > through via Web Auth/Captive Portal (most modern switches support this > too). > The language should note that your Company is not responsible / liable > and you hold the right to monitor unencrypted traffic on the network > (careful with what type of monitoring - headers verse full content) > > Most Printers, Scanner, AP's etc.. support 802.1x these days. An > alternative (not a very good one) would be port security via the mac > addr (but that will only keep the layman off). > > Now the part your probably going to struggle with. The supplicant. > There are many. MS Windows XP SP3 and above has one built in and > supports GPO control. There are also products like Juniper/Odyssey and > Cisco Clean Access (Which i think just got EOL). > > They all suck (excuse me have their limitations). The Windows supplicant > in Windows 7 seems to have been approved quite a bit however. In XP > there were issues with legit end users being temp flipped to quarantine > (while radius auth's them < the default behavior). Once flipping back > and the DHCP client will sometimes not get an updated IP for that > subnet. To date I have not found a workaround, except Windows 7. > > Also, if your admins are using logon scripts and not doing so through > GPO they will need to as they will not run post Auth > > Other tech out there includes tracking/alerting after the fact (someone > being on your network). > > Hope this helps > > Tim > > > > On Wed, Jul 28, 2010 at 5:36 PM, Tyler Robinson > <[email protected]> > wrote: >> I am coming into an environment of over 1000 clients everything is >> setup DHCP except printers and servers I am trying to work towards a >> much more secure network but am at a loss of how to start locking down > >> switches and DHCP I want to make sure no one is plugging in >> unauthorized devices or rogue devices for that matter so just >> wondering how everyone else is securing there networks as always >> pauldotcom listeners are the best and all help is welcomed. >> >> TR >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
