Questions

- updated

+
0 Votes
Locked

- updated

Wiseguytr
Hi,
-
+
0 Votes
chris_atb
Collapse -

mac address filtering, this will stop outsiders from stealing IP's unless they're smart enough to change there laptops mac addresses to ones of the client computers which i serverly doubt. and even if they did it would make it easier for you to find the culprits.

another is use DHCP and bind IP's to MAC addresses so each machine will only get the IP address that the DHCP is authorized to give out to that machine

+
0 Votes
Wiseguytr
Collapse -

Binding IP's to MAC adresses seem to be a reasonable solution, but still they can exist on the network with unbinded IP's of the subnet, on the LAN. Anyhow, if I can bind all addresses accordingly, even if they steal the address, they cant use it. Hence, I dont know if that will do me any good after the user stealing the domain servers ip adress...

Is there anyway binding them via lan switches ? I'm using 3com 3C16475BS (managable)

+
0 Votes
gerald.alaerds
Collapse -

I'm not certain if the following works for 3Com switches, but I know that cisco switches can be configured with port security. Any port accepts an x amount of mac addresses and you can control how many e.g 1 mac address. Then you can also define what to do if a different mac is detected (e.g. shut down the specific port and become active if the right mac address is present).
The following link is to the cisco site explaining port security and how to enable it:
http://www.cisco.com/en/US/products/hw/routers/ps368/products_configuration_guide_chapter09186a00806993ce.html

+
0 Votes
Wiseguytr
Collapse -

Ok, does this mean that you can only bind one unique mac to a physical port or does it mean that x allowed macs are only allowed to passthrough ?

+
0 Votes
Alan0
Collapse -

If you are running a Win2K3 LAN then why wouldn't you be using ISA (2004 or 2006)??

All you need to do is only allow outgoing access through the gateway to the ISA Server, and proxy all outbound internet access through ISA - it is a superb product (IMHO!)

You can create rules for individuals or groups in ISA and have excellent control over what goes out (and hence what gets back in!)

Personally, I wouldn't even consider letting users have direct access outbound using anything other than ISA. Ditch the Linux GW, and put in ISA, then sleep soundly at night!

Alan.

+
0 Votes
VAbonat
Collapse -

IMO all the suggested ideas are valuable, but they don't cover 100% what efe.egilmez looks for. I had the same situation some time ago. Now I'm using "Barracuda WebFilter 210"-WEB Firewall. IMO this is your 100% solution. There are a lot of things to be improved in this device, but after you spend some time it will work good for you. You could apply any Internet-usage polices against your "Authorized" or "Unauthorized" users. So, even someone steals an IP in your LAN he will be "Unauthorized" user and his access to Internet will be controlled automatically by you (Barracuda). On the other hand I assume you restrict such user from logging to your domain. As result he will stay "In the middle of Nothing" being unable to do nothing more in your LAN. In addition Barracuda is compatible with LDAP so it could use your Domain Usernames and authorization. And it is easy for administration (GUI). The model 210 is the lowest class and is not expensive. There are higher class models (310, 810) and other vendors like Cisco, Symantec offer their (probably better) solutions, but I'm not that familiar with them. I think this is good example for solution it such situation. Especially if you combine it with the Switch-port MAC-binding solution proposed earlier by Gerald.Alaerds.

Hope this helps you!

+
0 Votes
Alan0
Collapse -

Hi Victor,

Out of interest, and to increase my product knowledge, what does the Barracuda do that ISA doesn't cover?

I don't there is anything in your post that ISA doesn't cover, but I would be interested in your take on whether it is better than ISA and if so, why?

Thanks,

Alan.

+
0 Votes
VAbonat
Collapse -

Hi Alan,

I don't assert Barracuda is better. What I mean is: It's not bad solution for this particular case. As I said, Barracuda is far from perfect, but isn't any MS solution farther? Anyway, as you asked, here are some differences between Barracuda and MS ISA:

1. Simplicity vs. complexity. What is simpler is more reliable ergo: better.
2. Linux based hardware-built-in security vs. Windows based superstructured security. IMO these two concepts are out of comparision.
3. Price.

IMO the classification "better" or "worse" product depends on the particular situation, budget etc. (even one could do more that the other). So, lets leave the queston-author (who knows the situation better than me and you) decides what is better for him. We are supposed to help by suggesting more ideas, not to defend particular products, aren't we?

+
0 Votes
Alan0
Collapse -

Absolutely - I just have no experience of Barracuda so I was looking for a feature comparison to see if I should be looking at moving across.

I agree that cost is a factor, but that wouldn't stop me moving to Barracuda just because it isn't 'free' (not that ISA is completely free - they build it into the price of course).

Always looking for the 'best of breed' solution that fits our budget!

Thanks,

Alan.

+
0 Votes
Wiseguytr
Collapse -

Hi thanx for your reply. ISA is not always a good solution. We have a very complex lan with over 20 servers and 200 users locally and at remote locations. Although I stand beside Ms, I do admit that ISA consumes to much resources as well as time. As you are aware, in open source, everyone is jointventured and there is always a solution. On the otherside on Ms, anything except Technet, means $$$ :)