[Pauldotcom] Locking down Ports and DHCP
Jody & Jennifer McCluggage
j2mccluggage at adelphia.net
Fri Jul 30 01:59:36 UTC 2010
I agree with Tim about recommending 802.1x. You can set it up so that the
switches will not allow access until the end-user authenticates themselves
on the network (via Windows RADIUS service, IAS, communicating with a domain
controller). The 8021.X clients on Windows XP SP3 and higher are pretty
stable (it will work on lower versions but SP3 added some 802.1x
improvements). As Tim pointed out, more and more embedded devices such as
printers are now also supporting 802.1x. For other embedded devices (older
printers, copiers, UPS, etc), you can utilize MAC address filtering. This
is less of an issue with these since they tend to be fairly static (i.e.
they won't be moving around much) and usually have some additional
compensating physical controls. You will probably want to use MAC Address
filtering with your servers too. 802.1x tends not to work well with servers
since it requires authentication prior to granting port access. If someone
has physical access to the ports that your servers are using, port
authentication is the least of your problems!
Also as Tim said, keep in mind that you are adding some additional moving
parts so more things can go wrong (8021.x client issues, switch issues, or
RADIUS server issues - over the years I have had to deal with all three at
one time or another but nothing real major). That being said, except for
the occasional minor headache, I have had very little issues with it over
the years. Also keep in mind that the workstation will not have access to
the network until the user authenticates with an approved domain level
Let me know If you want some examples on how to set up using Cisco switches
and Windows workstations and radius/domain server.
From: pauldotcom-bounces at mail.pauldotcom.com
[mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Bugbear
Sent: Thursday, July 29, 2010 9:04 AM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Locking down Ports and DHCP
First and foremost get your company policies and procedures in place if you
have not yet. Also, you will need "buy in" from the support staff because
their helpdesk calls are going to increase.
With that said, I would look at 802.1x
Assuming you are a Windows shop and your switches support it (most modern
switches do), take a look. I have leveraged it somewhat successfully. I
personally do not do any NAP/NAC (remediation), I just very simply use
Radius to auth the domain computers and domain users.
If joined to the domain and a member of this group then they are on the
production LAN, if not the switches will dynamically VLAN them to a
What you do with "guests" is up to you from there. You can wait for the
helpdesk call or you could provide restricted internet access. If the later,
consider the appropriate egress filtering, logging, alerting, IDS, etc...
Also consider using PAT to give that network a unique public IP. Lastly,
consult your legal team to draw up some language for "guests" to click
through via Web Auth/Captive Portal (most modern switches support this too).
The language should note that your Company is not responsible / liable and
you hold the right to monitor unencrypted traffic on the network (careful
with what type of monitoring - headers verse full content)
Most Printers, Scanner, AP's etc.. support 802.1x these days. An alternative
(not a very good one) would be port security via the mac addr (but that will
only keep the layman off).
Now the part your probably going to struggle with. The supplicant.
There are many. MS Windows XP SP3 and above has one built in and supports
GPO control. There are also products like Juniper/Odyssey and Cisco Clean
Access (Which i think just got EOL).
They all suck (excuse me have their limitations). The Windows supplicant in
Windows 7 seems to have been approved quite a bit however. In XP there were
issues with legit end users being temp flipped to quarantine (while radius
auth's them < the default behavior). Once flipping back and the DHCP client
will sometimes not get an updated IP for that subnet. To date I have not
found a workaround, except Windows 7.
Also, if your admins are using logon scripts and not doing so through GPO
they will need to as they will not run post Auth
Other tech out there includes tracking/alerting after the fact (someone
being on your network).
Hope this helps
On Wed, Jul 28, 2010 at 5:36 PM, Tyler Robinson <pcimpressions at gmail.com>
> I am coming into an environment of over 1000 clients everything is
> setup DHCP except printers and servers I am trying to work towards a
> much more secure network but am at a loss of how to start locking down
> switches and DHCP I want to make sure no one is plugging in
> unauthorized devices or rogue devices for that matter so just
> wondering how everyone else is securing there networks as always
> pauldotcom listeners are the best and all help is welcomed.
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> Main Web Site: http://pauldotcom.com
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
Main Web Site: http://pauldotcom.com
More information about the Pauldotcom