Thanks Tim..... The remediation server is one option, however it seems like that would be more geared towards guests, or a guest network. Which as you say, who cares.....
But... how would I push patches to my own desktops during non-production hours if I have 802.1x implemented on my network? (Assuming users shutdown or logout each night) K-Dee -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Bugbear Sent: Thursday, August 05, 2010 5:31 PM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Locking down Ports and DHCP Kevin I'm not 100% sure what your asking. In my situation, we just check if the computer/user has valid domain creds, if not we quarantine them. Not valid means they are guest and not my responsibility to backup or patch. If you are doing full NAC/NAP with remediation, then those products often provide a remediation server that offers patches/links to patches (i.e. latest WIN patches, virus defs). Problem is if user/guest doesn't have admin rights then what? In my opinion, just easier to have guest jacks with air gaped network (could do vlan;ing if you prefer) and limited internet access available. Hope this clarifies some things. Tim On Thu, Aug 5, 2010 at 2:26 PM, Dahl, Kevin <[email protected]> wrote: > How do those of you who are using 802.1x solve the problem with > patching and/or nightly backups ?? > > K-Dee > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Jody & > Jennifer McCluggage > Sent: Thursday, July 29, 2010 8:00 PM > To: 'PaulDotCom Security Weekly Mailing List' > Subject: Re: [Pauldotcom] Locking down Ports and DHCP > > I agree with Tim about recommending 802.1x. You can set it up so > that the switches will not allow access until the end-user > authenticates themselves on the network (via Windows RADIUS service, > IAS, communicating with a domain controller). The 8021.X clients on > Windows XP SP3 and higher are pretty stable (it will work on lower > versions but > SP3 added some 802.1x improvements). As Tim pointed out, more and more > embedded devices such as printers are now also supporting 802.1x. For > other embedded devices (older printers, copiers, UPS, etc), you can > utilize MAC address filtering. This is less of an issue with these > since they tend to be fairly static (i.e. > they won't be moving around much) and usually have some additional > compensating physical controls. You will probably want to use MAC > Address filtering with your servers too. 802.1x tends not to work well > with servers since it requires authentication prior to granting port > access. If someone has physical access to the ports that your servers > are using, port authentication is the least of your problems! > > Also as Tim said, keep in mind that you are adding some additional > moving parts so more things can go wrong (8021.x client issues, switch > issues, or RADIUS server issues - over the years I have had to deal > with all three at one time or another but nothing real major). That > being said, except for the occasional minor headache, I have had very > little issues with it over the years. Also keep in mind that the > workstation will not have access to the network until the user > authenticates with an approved domain level account. > > Let me know If you want some examples on how to set up using Cisco > switches and Windows workstations and radius/domain server. > > Jody > > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Bugbear > Sent: Thursday, July 29, 2010 9:04 AM > To: PaulDotCom Security Weekly Mailing List > Subject: Re: [Pauldotcom] Locking down Ports and DHCP > > First and foremost get your company policies and procedures in place > if you have not yet. Also, you will need "buy in" from the support > staff because their helpdesk calls are going to increase. > > With that said, I would look at 802.1x > > Assuming you are a Windows shop and your switches support it (most > modern switches do), take a look. I have leveraged it somewhat > successfully. I personally do not do any NAP/NAC (remediation), I just > very simply use Radius to auth the domain computers and domain users. > If joined to the domain and a member of this group then they are on > the production LAN, if not the switches will dynamically VLAN them to > a Quarantine VLAN. > > What you do with "guests" is up to you from there. You can wait for > the helpdesk call or you could provide restricted internet access. If > the later, consider the appropriate egress filtering, logging, > alerting, IDS, etc... > Also consider using PAT to give that network a unique public IP. > Lastly, consult your legal team to draw up some language for "guests" > to click through via Web Auth/Captive Portal (most modern switches > support this too). > The language should note that your Company is not responsible / liable > and you hold the right to monitor unencrypted traffic on the network > (careful with what type of monitoring - headers verse full content) > > Most Printers, Scanner, AP's etc.. support 802.1x these days. An > alternative (not a very good one) would be port security via the mac > addr (but that will only keep the layman off). > > Now the part your probably going to struggle with. The supplicant. > There are many. MS Windows XP SP3 and above has one built in and > supports GPO control. There are also products like Juniper/Odyssey and > Cisco Clean Access (Which i think just got EOL). > > They all suck (excuse me have their limitations). The Windows > supplicant in Windows 7 seems to have been approved quite a bit > however. In XP there were issues with legit end users being temp > flipped to quarantine (while radius auth's them < the default > behavior). Once flipping back and the DHCP client will sometimes not > get an updated IP for that subnet. To date I have not found a workaround, > except Windows 7. > > Also, if your admins are using logon scripts and not doing so through > GPO they will need to as they will not run post Auth > > Other tech out there includes tracking/alerting after the fact > (someone being on your network). > > Hope this helps > > Tim > > > > On Wed, Jul 28, 2010 at 5:36 PM, Tyler Robinson > <[email protected]> > wrote: >> I am coming into an environment of over 1000 clients everything is >> setup DHCP except printers and servers I am trying to work towards a >> much more secure network but am at a loss of how to start locking >> down > >> switches and DHCP I want to make sure no one is plugging in >> unauthorized devices or rogue devices for that matter so just >> wondering how everyone else is securing there networks as always >> pauldotcom listeners are the best and all help is welcomed. >> >> TR >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
