Prevent just plugging into network

[csutton]

Hi everyone,

We would like to find a solution that would do the following:

A) Require whenever someone plugs into a network jack, that they need to sign into the network (I would assume a Windows Server at this time).

B) Allow only authorized PCs to access the network (DHCP would be disabled, however someone could still bring their laptop from home and type in an IP address). We want to make it so that even if they type in an IP address, they cannot access anything on the network (printers, other PCs, etc).

C) This should be centrally managed and would prefer if we did not have to install a firewall on each PC on the network to prevent access to them, as they'd still be able to access printers, etc.

Thanks!

 

[rn4it]

Most switch manufacturers have some version of Netlogon, this would mean that prior to a IP being assigned the user would have to supply a password. There are also IP mgmt tools that an password must be supply prior to receiving an IP address from the DHCP server, Checkpoint's MetaIP. Most switches have the abilty to do MAC level securcity, If the switches MAC DB doesn't have the MAC addr it can't access the network. There's a few ideas, for you to see which would be the best for your environment.

 

[csutton]

Thank you for your suggestions. The only problem I have about MAC addressing is that it can be spoofed (easily within Windows...)

 

[csutton]

Also, do you know of any specific switches that have that capability? Doing a quick search I wasn't able to find one right away.

Thanks.

 

[dopehead]

Just enable 802.1x on your switches, if they support this they can get their user/pass from a RAdius Server tied to your AD or Windows Domain.

802.1x is supported in many major os'es.

Jan

Network Systems Engineer
CCNA/CQS/CCSP

 

[hoinvip]

Having worked with them for a long time, I'd recommend Cisco Catalyst switches.

They support MAC address lock-down nicely - you can turn off unused ports and whilst the users could still spoof the MAC address, it stops the casual user from accessing your network.

The other thing to consider is physical protection - don't plug in unused data ports and make it difficult for your users to unplug their existing connections - there are a range of cat5 outlets that can be locked shut to prevent cables being unplugged and you could always consider locking desktop CPU's into underdesk enclosures.

A security policy also helps - ensure that the staff know that using unauthorised kit on the network is prohibited and carries severe penalties.

Finally, I'd recommend basing all of your network services behind strong authentication to provide the final layer of security.

Hope this helps!





HoinviP

http://www.global-net.co.uk

 

[rn4it]

You can also have the ends re-terminated so that you need a cross over cable to patch into the network instead of a straight through.

 

[csutton]

thank you for all of the suggestions. All have been very helpful in sending us in the right direction!!

 

[stiles123]

If you have AD in place, maybe think about IpSec security policy to encrypt LAN traffic between machines.