Questions

- updated

+
0 Votes
Locked

- updated

Wiseguytr
Hi,
-
  • +
    0 Votes
    chris_atb

    mac address filtering, this will stop outsiders from stealing IP's unless they're smart enough to change there laptops mac addresses to ones of the client computers which i serverly doubt. and even if they did it would make it easier for you to find the culprits.

    another is use DHCP and bind IP's to MAC addresses so each machine will only get the IP address that the DHCP is authorized to give out to that machine

    +
    0 Votes
    Wiseguytr

    Binding IP's to MAC adresses seem to be a reasonable solution, but still they can exist on the network with unbinded IP's of the subnet, on the LAN. Anyhow, if I can bind all addresses accordingly, even if they steal the address, they cant use it. Hence, I dont know if that will do me any good after the user stealing the domain servers ip adress...

    Is there anyway binding them via lan switches ? I'm using 3com 3C16475BS (managable)

    +
    0 Votes
    gerald.alaerds

    I'm not certain if the following works for 3Com switches, but I know that cisco switches can be configured with port security. Any port accepts an x amount of mac addresses and you can control how many e.g 1 mac address. Then you can also define what to do if a different mac is detected (e.g. shut down the specific port and become active if the right mac address is present).
    The following link is to the cisco site explaining port security and how to enable it:
    http://www.cisco.com/en/US/products/hw/routers/ps368/products_configuration_guide_chapter09186a00806993ce.html

    +
    0 Votes
    Wiseguytr

    Ok, does this mean that you can only bind one unique mac to a physical port or does it mean that x allowed macs are only allowed to passthrough ?

    +
    0 Votes
    Alan0

    If you are running a Win2K3 LAN then why wouldn't you be using ISA (2004 or 2006)??

    All you need to do is only allow outgoing access through the gateway to the ISA Server, and proxy all outbound internet access through ISA - it is a superb product (IMHO!)

    You can create rules for individuals or groups in ISA and have excellent control over what goes out (and hence what gets back in!)

    Personally, I wouldn't even consider letting users have direct access outbound using anything other than ISA. Ditch the Linux GW, and put in ISA, then sleep soundly at night!

    Alan.

    +
    0 Votes
    VAbonat

    IMO all the suggested ideas are valuable, but they don't cover 100% what efe.egilmez looks for. I had the same situation some time ago. Now I'm using "Barracuda WebFilter 210"-WEB Firewall. IMO this is your 100% solution. There are a lot of things to be improved in this device, but after you spend some time it will work good for you. You could apply any Internet-usage polices against your "Authorized" or "Unauthorized" users. So, even someone steals an IP in your LAN he will be "Unauthorized" user and his access to Internet will be controlled automatically by you (Barracuda). On the other hand I assume you restrict such user from logging to your domain. As result he will stay "In the middle of Nothing" being unable to do nothing more in your LAN. In addition Barracuda is compatible with LDAP so it could use your Domain Usernames and authorization. And it is easy for administration (GUI). The model 210 is the lowest class and is not expensive. There are higher class models (310, 810) and other vendors like Cisco, Symantec offer their (probably better) solutions, but I'm not that familiar with them. I think this is good example for solution it such situation. Especially if you combine it with the Switch-port MAC-binding solution proposed earlier by Gerald.Alaerds.

    Hope this helps you!

    +
    0 Votes
    Alan0

    Hi Victor,

    Out of interest, and to increase my product knowledge, what does the Barracuda do that ISA doesn't cover?

    I don't there is anything in your post that ISA doesn't cover, but I would be interested in your take on whether it is better than ISA and if so, why?

    Thanks,

    Alan.

    +
    0 Votes
    VAbonat

    Hi Alan,

    I don't assert Barracuda is better. What I mean is: It's not bad solution for this particular case. As I said, Barracuda is far from perfect, but isn't any MS solution farther? Anyway, as you asked, here are some differences between Barracuda and MS ISA:

    1. Simplicity vs. complexity. What is simpler is more reliable ergo: better.
    2. Linux based hardware-built-in security vs. Windows based superstructured security. IMO these two concepts are out of comparision.
    3. Price.

    IMO the classification "better" or "worse" product depends on the particular situation, budget etc. (even one could do more that the other). So, lets leave the queston-author (who knows the situation better than me and you) decides what is better for him. We are supposed to help by suggesting more ideas, not to defend particular products, aren't we?

    +
    0 Votes
    Alan0

    Absolutely - I just have no experience of Barracuda so I was looking for a feature comparison to see if I should be looking at moving across.

    I agree that cost is a factor, but that wouldn't stop me moving to Barracuda just because it isn't 'free' (not that ISA is completely free - they build it into the price of course).

    Always looking for the 'best of breed' solution that fits our budget!

    Thanks,

    Alan.

    +
    0 Votes
    Wiseguytr

    Hi thanx for your reply. ISA is not always a good solution. We have a very complex lan with over 20 servers and 200 users locally and at remote locations. Although I stand beside Ms, I do admit that ISA consumes to much resources as well as time. As you are aware, in open source, everyone is jointventured and there is always a solution. On the otherside on Ms, anything except Technet, means $$$ :)

    +
    0 Votes
    1bn0

    I believe our fortigate firewall controls net access. Access is based on your network user account login.

    You can not log on to the network unless the computer is a member of the domain, so you have to log on to the domain. Once you are logged on to the domain the firewall restricts access based on your user credentials.
    Example. Our lunch room computer automatically logs on to a limited user account for local intranet access. No internet acces to that user. I log on under my account on the same computer and I can access the internet because I have permission from the firewall / gateway.

    +
    0 Votes
    Wiseguytr

    That would be helpful if it was all about users, but there should be a way of binding usernames with IP's.

    I'm trying actually stop users bringing in their own laptops and connecting to the LAN. As you're aware the pc's dont have to be part of the domain to access it.

    They all know the IP pool numbers so they are trying over and over again for a free IP address and eventually finding one as not all pc's are alive during the day...

    +
    0 Votes
    nis_india

    I hope you need a solution to restrict the internet usage based on user then the solution would be.

    Linux Squid proxy with Domain Authentication will ensure that your users are logging to the domain as well as have a valid ip address & also allow you to restrict time based internet browsing.

    Through this you have a total control over the situation.

    You can also do many more in Squid.


    Thanks,
    Nishant

    +
    0 Votes
    Wiseguytr

    The main problem is not about internet usage but, people tapping into the LAN with laptops or pc's..as they know our IP range, they just pick an IP and enter the network. If he's lucky he'll get past the Squid, or worse he could even cause an IP conflict with one of the servers...

    +
    0 Votes
    AstroCreep

    If they can change their IP addresses/settings, that means they have local administrative rights on their systems - change them all to Power Users and this won't be an issue.

    Or if they are setup as Power Users right now, are they also members of the 'Network Configuration Operators' group? If so, remove them from that group.

    +
    0 Votes
    Wiseguytr

    I hate it but yes, as some of them use laptops they do have local administrator accounts. But when they are connected to the domain, I've managed to disable nic config access via the GPO.

    If I can set them to local Power Users (i'll check if such exists on local accs) then its solved...Thanks for the advice.

    +
    0 Votes
    rmathis

    Squid is a nice feature and so is ISA listed above. If your that strong about going and doing this Cisco is the way to go. And very few HP switch's can do it as well. Find a few older managable Cisco's and block down the ports to match the mac's along with DHCP tied to mac. It is still possible to spoof the mac but it makes for a much tighter and easier setup for the future.

    Also get them out of the Admin group there should be no way for them to change there local address. Prehibit the use of personal laptops as well make users sign an aggrement saying they wont bring one in.

    +
    0 Votes
    sgt_shultz

    I haven't read all the posts but I think your users are gonna figure out pretty quick how to swap NICs.
    I would be looking for a per user login way to do this. Maybe with IE 'trusted zones' or something.
    seems to me blacklisting sites by IP address is not getting at the root cause, it's not feeding into the MS domain account way of doing things. I wonder if you would get anywhere emailing MS support with this question...

    +
    0 Votes
    Wiseguytr

    You're 100% right. Although alot of them are computer illerates, some of them are just keep on moving from switch to switch

    +
    0 Votes
    CG IT

    That way you can put MAC address security on the switch ports. If someone connects to a switchport their MAC address isn't supposed to be there, the port is turned off until you turn it back on.

    With this setup, you know who is supposed to be on that switchport and if another computer connects to it, their connectivity will be turned off. Then they have to come to you and tell you they can't connect. Then you know by the security logs on the switch that someone disconnected their computer and plugged in another. You can then get the message out via the employees that they can't swap around NICs or computers or you'll know.

    +
    0 Votes
    Wiseguytr

    This seems as the reasonable answer I was looking for. I wonder if you can do that on 3Com's managed Layer2's....

    On the otherside I was dreaming of a software or a box with all my IP and binded MACs tables on it. So that if someone tried to enter the network with a unmatched IP/Mac, it would just cause a direct IP conflict and disable their access...

    +
    0 Votes
    CG IT

    they ought to provide port security the same as Cisco switches do, else they wouldn't be competetive with Cisco and no one would buy 3Comm managed switches.

    If not, budget some $$ for Cisco managed switches as they have port security by MAC address.

    +
    0 Votes
    retro77

    Institute a policy that no home PCs can come into work. If you are that secure on your internet access, then you need to be that secure on your home PCs. The punishment has to be termination of employment or people wont listen.

    Plus home PCs comming in with who knows what virus/worms/malware on your "protected" network, a nightmare waiting to happen.

    +
    0 Votes
    Wiseguytr

    This is of course the most correct solution. But the thing is you can not fire a CFO.

    InfoSec policies can be run pretty sharply when working in an corporate company, but in smaller companies, rules are obviously bent. Results are disasterous and IT guys get the blame for it.

    In the end as you have spelled it correctly, we're cleaning virus everyday, trying the catch the backdoorers via registered MAC list...

    Hopeless...My IPSEC Policy is still awaiting to be signed...

  • +
    0 Votes
    chris_atb

    mac address filtering, this will stop outsiders from stealing IP's unless they're smart enough to change there laptops mac addresses to ones of the client computers which i serverly doubt. and even if they did it would make it easier for you to find the culprits.

    another is use DHCP and bind IP's to MAC addresses so each machine will only get the IP address that the DHCP is authorized to give out to that machine

    +
    0 Votes
    Wiseguytr

    Binding IP's to MAC adresses seem to be a reasonable solution, but still they can exist on the network with unbinded IP's of the subnet, on the LAN. Anyhow, if I can bind all addresses accordingly, even if they steal the address, they cant use it. Hence, I dont know if that will do me any good after the user stealing the domain servers ip adress...

    Is there anyway binding them via lan switches ? I'm using 3com 3C16475BS (managable)

    +
    0 Votes
    gerald.alaerds

    I'm not certain if the following works for 3Com switches, but I know that cisco switches can be configured with port security. Any port accepts an x amount of mac addresses and you can control how many e.g 1 mac address. Then you can also define what to do if a different mac is detected (e.g. shut down the specific port and become active if the right mac address is present).
    The following link is to the cisco site explaining port security and how to enable it:
    http://www.cisco.com/en/US/products/hw/routers/ps368/products_configuration_guide_chapter09186a00806993ce.html

    +
    0 Votes
    Wiseguytr

    Ok, does this mean that you can only bind one unique mac to a physical port or does it mean that x allowed macs are only allowed to passthrough ?

    +
    0 Votes
    Alan0

    If you are running a Win2K3 LAN then why wouldn't you be using ISA (2004 or 2006)??

    All you need to do is only allow outgoing access through the gateway to the ISA Server, and proxy all outbound internet access through ISA - it is a superb product (IMHO!)

    You can create rules for individuals or groups in ISA and have excellent control over what goes out (and hence what gets back in!)

    Personally, I wouldn't even consider letting users have direct access outbound using anything other than ISA. Ditch the Linux GW, and put in ISA, then sleep soundly at night!

    Alan.

    +
    0 Votes
    VAbonat

    IMO all the suggested ideas are valuable, but they don't cover 100% what efe.egilmez looks for. I had the same situation some time ago. Now I'm using "Barracuda WebFilter 210"-WEB Firewall. IMO this is your 100% solution. There are a lot of things to be improved in this device, but after you spend some time it will work good for you. You could apply any Internet-usage polices against your "Authorized" or "Unauthorized" users. So, even someone steals an IP in your LAN he will be "Unauthorized" user and his access to Internet will be controlled automatically by you (Barracuda). On the other hand I assume you restrict such user from logging to your domain. As result he will stay "In the middle of Nothing" being unable to do nothing more in your LAN. In addition Barracuda is compatible with LDAP so it could use your Domain Usernames and authorization. And it is easy for administration (GUI). The model 210 is the lowest class and is not expensive. There are higher class models (310, 810) and other vendors like Cisco, Symantec offer their (probably better) solutions, but I'm not that familiar with them. I think this is good example for solution it such situation. Especially if you combine it with the Switch-port MAC-binding solution proposed earlier by Gerald.Alaerds.

    Hope this helps you!

    +
    0 Votes
    Alan0

    Hi Victor,

    Out of interest, and to increase my product knowledge, what does the Barracuda do that ISA doesn't cover?

    I don't there is anything in your post that ISA doesn't cover, but I would be interested in your take on whether it is better than ISA and if so, why?

    Thanks,

    Alan.

    +
    0 Votes
    VAbonat

    Hi Alan,

    I don't assert Barracuda is better. What I mean is: It's not bad solution for this particular case. As I said, Barracuda is far from perfect, but isn't any MS solution farther? Anyway, as you asked, here are some differences between Barracuda and MS ISA:

    1. Simplicity vs. complexity. What is simpler is more reliable ergo: better.
    2. Linux based hardware-built-in security vs. Windows based superstructured security. IMO these two concepts are out of comparision.
    3. Price.

    IMO the classification "better" or "worse" product depends on the particular situation, budget etc. (even one could do more that the other). So, lets leave the queston-author (who knows the situation better than me and you) decides what is better for him. We are supposed to help by suggesting more ideas, not to defend particular products, aren't we?

    +
    0 Votes
    Alan0

    Absolutely - I just have no experience of Barracuda so I was looking for a feature comparison to see if I should be looking at moving across.

    I agree that cost is a factor, but that wouldn't stop me moving to Barracuda just because it isn't 'free' (not that ISA is completely free - they build it into the price of course).

    Always looking for the 'best of breed' solution that fits our budget!

    Thanks,

    Alan.

    +
    0 Votes
    Wiseguytr

    Hi thanx for your reply. ISA is not always a good solution. We have a very complex lan with over 20 servers and 200 users locally and at remote locations. Although I stand beside Ms, I do admit that ISA consumes to much resources as well as time. As you are aware, in open source, everyone is jointventured and there is always a solution. On the otherside on Ms, anything except Technet, means $$$ :)

    +
    0 Votes
    1bn0

    I believe our fortigate firewall controls net access. Access is based on your network user account login.

    You can not log on to the network unless the computer is a member of the domain, so you have to log on to the domain. Once you are logged on to the domain the firewall restricts access based on your user credentials.
    Example. Our lunch room computer automatically logs on to a limited user account for local intranet access. No internet acces to that user. I log on under my account on the same computer and I can access the internet because I have permission from the firewall / gateway.

    +
    0 Votes
    Wiseguytr

    That would be helpful if it was all about users, but there should be a way of binding usernames with IP's.

    I'm trying actually stop users bringing in their own laptops and connecting to the LAN. As you're aware the pc's dont have to be part of the domain to access it.

    They all know the IP pool numbers so they are trying over and over again for a free IP address and eventually finding one as not all pc's are alive during the day...

    +
    0 Votes
    nis_india

    I hope you need a solution to restrict the internet usage based on user then the solution would be.

    Linux Squid proxy with Domain Authentication will ensure that your users are logging to the domain as well as have a valid ip address & also allow you to restrict time based internet browsing.

    Through this you have a total control over the situation.

    You can also do many more in Squid.


    Thanks,
    Nishant

    +
    0 Votes
    Wiseguytr

    The main problem is not about internet usage but, people tapping into the LAN with laptops or pc's..as they know our IP range, they just pick an IP and enter the network. If he's lucky he'll get past the Squid, or worse he could even cause an IP conflict with one of the servers...

    +
    0 Votes
    AstroCreep

    If they can change their IP addresses/settings, that means they have local administrative rights on their systems - change them all to Power Users and this won't be an issue.

    Or if they are setup as Power Users right now, are they also members of the 'Network Configuration Operators' group? If so, remove them from that group.

    +
    0 Votes
    Wiseguytr

    I hate it but yes, as some of them use laptops they do have local administrator accounts. But when they are connected to the domain, I've managed to disable nic config access via the GPO.

    If I can set them to local Power Users (i'll check if such exists on local accs) then its solved...Thanks for the advice.

    +
    0 Votes
    rmathis

    Squid is a nice feature and so is ISA listed above. If your that strong about going and doing this Cisco is the way to go. And very few HP switch's can do it as well. Find a few older managable Cisco's and block down the ports to match the mac's along with DHCP tied to mac. It is still possible to spoof the mac but it makes for a much tighter and easier setup for the future.

    Also get them out of the Admin group there should be no way for them to change there local address. Prehibit the use of personal laptops as well make users sign an aggrement saying they wont bring one in.

    +
    0 Votes
    sgt_shultz

    I haven't read all the posts but I think your users are gonna figure out pretty quick how to swap NICs.
    I would be looking for a per user login way to do this. Maybe with IE 'trusted zones' or something.
    seems to me blacklisting sites by IP address is not getting at the root cause, it's not feeding into the MS domain account way of doing things. I wonder if you would get anywhere emailing MS support with this question...

    +
    0 Votes
    Wiseguytr

    You're 100% right. Although alot of them are computer illerates, some of them are just keep on moving from switch to switch

    +
    0 Votes
    CG IT

    That way you can put MAC address security on the switch ports. If someone connects to a switchport their MAC address isn't supposed to be there, the port is turned off until you turn it back on.

    With this setup, you know who is supposed to be on that switchport and if another computer connects to it, their connectivity will be turned off. Then they have to come to you and tell you they can't connect. Then you know by the security logs on the switch that someone disconnected their computer and plugged in another. You can then get the message out via the employees that they can't swap around NICs or computers or you'll know.

    +
    0 Votes
    Wiseguytr

    This seems as the reasonable answer I was looking for. I wonder if you can do that on 3Com's managed Layer2's....

    On the otherside I was dreaming of a software or a box with all my IP and binded MACs tables on it. So that if someone tried to enter the network with a unmatched IP/Mac, it would just cause a direct IP conflict and disable their access...

    +
    0 Votes
    CG IT

    they ought to provide port security the same as Cisco switches do, else they wouldn't be competetive with Cisco and no one would buy 3Comm managed switches.

    If not, budget some $$ for Cisco managed switches as they have port security by MAC address.

    +
    0 Votes
    retro77

    Institute a policy that no home PCs can come into work. If you are that secure on your internet access, then you need to be that secure on your home PCs. The punishment has to be termination of employment or people wont listen.

    Plus home PCs comming in with who knows what virus/worms/malware on your "protected" network, a nightmare waiting to happen.

    +
    0 Votes
    Wiseguytr

    This is of course the most correct solution. But the thing is you can not fire a CFO.

    InfoSec policies can be run pretty sharply when working in an corporate company, but in smaller companies, rules are obviously bent. Results are disasterous and IT guys get the blame for it.

    In the end as you have spelled it correctly, we're cleaning virus everyday, trying the catch the backdoorers via registered MAC list...

    Hopeless...My IPSEC Policy is still awaiting to be signed...