Network Access Controls

pts.
Tags:
Network management software
Networking
Product/service procurement
Remote management
Security management
Hello, Many times an unknown node attaches themselves to our internal LAN with out the proper controls and then spreads a virus or has malware potential. It is not so much a problem with domain members, but rather at Layer 2-3 where the DHCP connection occurs and any machine can access the network. I am trying to find out how best (efficient and cost effective) to control, or at the least be aware of new nodes connecting onto a large internal LAN. Restricting new unknown connections can come later.The LAN is made up of several geographic locations, segments and routers and is controlled by different areas. If anyone has a solution, I would really appreciate them sharing it. Thank you, John

Answer Wiki

Thanks. We'll let you know when a new response is added.

Check out a product from Vistawiz (www.vistawiz.com). I think it could provide a lot of assistance in addressing your problem. We are currently using it for firewall, Intrusion detection, VPN, anti-spam, network anti-virus, content, and privacy, but you don’t need to implement all of them. It seems to work great and you get to talk with a human if you have issues. Basically, it’s an integrated network security device that sits on the edge of your network. The main thing is that it is a managed service. One of the services they offer would allow you to identify and isolate infected PC’s before it screws up your entire network. Because the device is relatively cheap, you could deploy them in several locations throught your network. Pricing appears to be very reasonable, plus you can deploy additional services without having to buy another piece of hardware.

That said, I don’t think it will handle restricting new unknown connections unless you decided to require/implement a VPN connection.
If you try it, let me know how it goes.

Discuss This Question: 8  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • USisBest
    Check out a product from Vistawiz (www.vistawiz.com). I think it could provide a lot of assistance in addressing your problem. We are currently using it for firewall, Intrusion detection, VPN, anti-spam, network anti-virus, content, and privacy, but you don't need to implement all of them. It seems to work great and you get to talk with a human if you have issues. Basically, it's an integrated network security device that sits on the edge of your network. The main thing is that it is a managed service. One of the services they offer would allow you to identify and isolate infected PC's before it screws up your entire network. Because the device is relatively cheap, you could deploy them in several locations throught your network. Pricing appears to be very reasonable, plus you can deploy additional services without having to buy another piece of hardware. That said, I don't think it will handle restricting new unknown connections unless you decided to require/implement a VPN connection. If you try it, let me know how it goes.
    0 pointsBadges:
    report
  • Imaginetsecurity
    You might also look at StillSecure's Safe Access product http://stillsecure.com/products/sa/. Safe Access protects the network by ensuring that endpoint devices are free from threats and in compliance with your IT security policy. Safe Access systematically tests endpoint devices ? without the use of a client or agent ? for compliance with organizational security policies, quarantining non-compliant machines before they damage the network. It ensures that the applications and services running on endpoint devices (i.e., LAN, RAS, VPN, and WiFi devices) are up-to-date and free of spyware, worms, viruses, trojans, P2P and other potentially damaging software. Devices are either permitted or denied network access or quarantined to a specific part of the network, thus enforcing organizational security standards.
    15 pointsBadges:
    report
  • ElaITgal
    John You might also check NetCrunch 3 from AdRem Software http://www.adremsoft.com/netcrunch/. You can set alerts to be notified if a new node is discovered in the network. Alerts can be sent to e-mail, cell phone, pager, ICQ, etc. There is a 30-day trial available for download so you may test it in your network to see if this is what you need. You can monitor the ports' status with this product, which might also help you in such situations.
    0 pointsBadges:
    report
  • Etittel
    In a more general sense, you can set most intrusion detection/prevention software to look for activation of hitherto unused ports in attaching to hubs or switches, or for hitherto unknown MAC layer addresses showing up on interfaces used to attach to your networks. Many such products--including the specific items mentioned in earlier replies--provide mechanisms to lock out such connection attempts so that exposure to malware or other unwanted software can be prevented thereby. I'd also urge you to be attentive to the possibility that someone is making use of remote access or remote login capabilities to establish a presence on your network. Fortunately intrusion detection/prevention software usually provides ways to control such access as well and restrict it only to known, invited remote users. HTH, --Ed--
    4,750 pointsBadges:
    report
  • Johnnyboyleeds
    You could use 802.1x to authenticate PC's actually onto the network, but that may mean upgrading switches etc. With 802.1x, they can't actually get onto the network without the correct credantials. So for example, only your domain members will be able to communicate. You can use your RADIUS logs to see who has been on the network. Depending upon your physical topology, you could secure it as if it is a wireless network. If it is on a particular segment where this happens, you could put that segment behind a RRAS server with ICF on it, only allowing PPTP in and then a user would have to VPN to it to join the network. It would basically result in authorised clients on one subnet and unauthorised clients on another without a route to the 'authorised' subnet. Unless you have issues with people setting their own IP addresses etc, then this could be quite a secure network.
    0 pointsBadges:
    report
  • Howard2nd
    1st - set your DHCP server to use a list of MAC adresses you provide. Not on the list, no IP address. This is more work up front, BUT musch safer. Then you can query systems for OS - patchlevel - Antivirus using 3rd party programs before allowing network access.
    30 pointsBadges:
    report
  • Johnnyboyleeds
    While the idea to limit acces on a MAC address level in post number 7 above is an interesting one, implementing it via DHCP means it is trivial at best to bypass it. I know several mobile users that use static IP addressing. If you want to prevent access to your LAN, then 802.1x or a pyhsical padlock on the wall port is really the only way to prevent physical access. Disallowing logon to the domain is inadequate as viruses and other malware mentioned in the original question can often spread without domain membership or credentials on the target machine. Contrary to popular belief, 802.1x was not actually designed for wireless networks and as such, wired network can utilise it. You would need network switch(es) that supports 802.1x such as http://www.alliedtelesyn.co.nz/support/at8600/info.html and you'd need to do a bit of work on your Windows Servers like installing RADIUS etc. Using 802.1x is a secure method to prevent unwanted/unauthorised access. 802.1x on its own is not totally secure, as a man in the middle attack could be used to break the security and get into the LAN, but this is not an issue as the question was to stop unauthorised PC's from attaching and releasing a malware payload. I don't think we'll see malware doing this kind of attack in the near future. The other option would be to use VPNs. However, this would require some work on your infrastructure too. You'd need to put all of the network points on to a network segment(s) that was seperated from your main LAN by the VPN server. IP addresses would be freely available on the 'public' segment, but they would have no route to the secured LAN. All Access would be via the VPN. This is where you gain control. Windows 2000 had limited support for quarantining connections via RRAS and Windows 2003 has a much more beefed up version. You can use scripts to detect if the client has uptodate antivirus/ service packs etc before allowing the VPN to be completed. If the client is insufficiently secure, it will only give limited access (You'd probably set it to only give access to the resources required to meet the criteria). The reason for seperating the 'insecure' wallports from the LAN/VLAN/Switch that the secure LAN runs is to prevent a simple bypass; if all connections on the network were in the same logical LAN, then you would not need a VPN to gain access to the secure subnet, you'd simply change your IP address! So there needs to be some kind of physical barrier and the VPN server would be the link. Used together, 802.1x would prevent unauthorised connections and the quarantine funtion of RRAS on the VPN gateway would control access dependent upon pre-requisite criteria such as patch level, current AV level etc. you could use the same VPN/Quarantine to protect your self from infected mobile machines (Dial up, Internet VPN, WLAN)too. A point I'd like to make is that a lot of firewalls, like the new ISA2004, allow you to apply rules and filters to a VPN Connection. This means that if a user only needed Terminal server, webmail, SQL access, or only required access to specific machines, then ISA2004 could easily be set up as the VPN gateway with these rules. This would drastically limit the attack surface for a virus or malware. By simply filtering out RPC, you would prevent a large proportion of these risks. The last point worth mentioning is that you cannot rely solely on a single form of protection. YOu should have AV on the desktop, Mail filtering, Internet download filtering and if still required, control over connection to the network. Should desktop AV fail, a download or email filter should prevent infection and vice versa. I use GFI Download security at several customer sites for the internet download filtering and I think it is very good - I have not found a better product that is so simple to use and configure. I use a selection of mail filtering software, and while I have a personal favourite - or preferred product, there are many that are adequate so I won't mention product names.
    0 pointsBadges:
    report
  • Larrythethird
    I would also use a firewall between physical locations. You can even go open source, if you have the time to configure them. I work at a multi-national company. Our main office connects to many countries. Many of them are completely virused. Another added option is to block the ports the virus use. You do have to be carefull with this, though. Some network applications use odd ports to function. We block ports 1434, 5554 and 9996, which has helped halt the slammer and sasser worms.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following