Q: Does anyone know whether it is possible to configure a Linux gateway / router, so if an unauthorized computer plugs into the network, will be denied access to the Internet?
Would Squid as a transparent proxy account for this? Going through membership of a domain of the computer account would be good. A kind of MAC address allowed list sounds plausible, but likely not work us.
Maybe EAP (PEAP or or whatever) would be good for this?
Let me know if anyone found a good solution to this. Basically we have a Windows 2000 domain and does not want anyone to be able to plug in their laptop at work and surf the net.
Linux For Desktop PC And Notebook Computers
Re:I'm thinking I may be able to use IPSEC to do this going by an article I found. Anyway I started a thread asking about IPSEC here. (http://{$MySite}/messageview.aspx?catid=36&threadid=1857767&enterthread=y) But, I have another question about EAP-TLS… What do you do about printers? Is it possible for a printer, such as HP 5si or 8100, to authenticate through EAP-TLS?
Gateway Page Generator
Re:There are products out there (software based) that you install on your Server which requires the User to end a Security Code
Before they will be Allowed Access to the Application they are trying to use … you could set it up so they need this Before
they can Access Anything on the Network except the Security program .. we had this at Verizon to insure a secure login
to certain apps & also if you logged in fom home … unfortunately, I forgot what they called it … the symbols looks like
a lock cylinder
Beginners Computer Tutorial.
Re:You could put up a proxy server and configure your firewall to only allow the proxy server to access the Internet. Then force machine and user authentication for users on the proxy server (depending on the capabilities of the proxy).
But if you want to deny access to the internal network (which you should), you'll need managed switches. Your two options there are really port-based MAC-address security (which acts like the MAC filter on wireless, except for each port on a switch), or 802.1x. Either way, you'll need managed switches for that.
Best Computer Monitoring Software
Re:Is there anyway to do this without requiring special switches? Maybe have all computers use an ssl cert and the gateway (and other machines) will not respond unless traffic is signed with that cert?
And I still don't understand how/if this will work if we have managed switches, but not all managed switches.
Self Computer Repair
Re:802.1x with machine certs. You can also require use of something like Cisco's trust agent to ensure configs aren't changed
Must Have Affiliate Marketing Plug-in for WordPress
Re:Originally posted by: guy
we use an ipcop firewall in transparent mode. it is setup with active directory authentication so in order to browse the internet you have to authenticate with the IPCOP box. no authentication no internet. you can aloow or disallow groups and users. it works very well and its freeWhen I first posted, this is exactly what I was thinking I wanted, but then, anyone with a domain account can plug in a laptop from home and still access the internet from a non-company computer. Or, can ipcop require authentication of the computer account, as opposed to user account?
PappaPC Computer Home Business – $100 Per Hour!
Re:Originally posted by: guy
Originally posted by: guy
It's a very common problem today. People/vendors/consultants just plugging in and wreaking havoc with worms/viruses/tunneling through a firewall etc.
Normally this is stopped with 802.1x as mentioned. It brings the same kind of security that wireless has to the wired world. You must authenticate before you can communicate with anything.
I see this as a real issue with wireless connections because of the nature of the medium. For example we have a college dorm next to our facility and there's a real chance that they could leech off our connection. However, with WEP and MAC registering, it's easier to prevent unauthorized access to your resources. However, I just have a hard time fathoming someone just waltzing in and jacking in to our network without me knowing. First of all, they have to get a security badge from the admin department and then they have to wait for me or someone else to give them permission to get the job done.
As a theoretical exercise, I think this topic is appropriate for some environments, but in most it's just a matter of ammending your company's standard operating procedures. No one should be in the building unless you know who they are and what they're doing.
Our situation is quite different. We have several sites, but are small enough that security (in the physical realm) is virtually non-existant. However, my concern is not so much outsiders, as an employee bringing in a laptop from home and plugging it in.
Ultimate Rank Protector – Powerful Keyword rank tracking plug-in
Re:Originally posted by: guy
It's a very common problem today. People/vendors/consultants just plugging in and wreaking havoc with worms/viruses/tunneling through a firewall etc.
Normally this is stopped with 802.1x as mentioned. It brings the same kind of security that wireless has to the wired world. You must authenticate before you can communicate with anything.
I see this as a real issue with wireless connections because of the nature of the medium. For example we have a college dorm next to our facility and there's a real chance that they could leech off our connection. However, with WEP and MAC registering, it's easier to prevent unauthorized access to your resources. However, I just have a hard time fathoming someone just waltzing in and jacking in to our network without me knowing. First of all, they have to get a security badge from the admin department and then they have to wait for me or someone else to give them permission to get the job done.
As a theoretical exercise, I think this topic is appropriate for some environments, but in most it's just a matter of ammending your company's standard operating procedures. No one should be in the building unless you know who they are and what they're doing.
How To Build A Gaming Computer For Under $1000
Re:we use an ipcop firewall in transparent mode. it is setup with active directory authentication so in order to browse the internet you have to authenticate with the IPCOP box. no authentication no internet. you can aloow or disallow groups and users. it works very well and its free
The Complete Computer training manuals
Re:Ouch! OK, ok, ok, sorry! The previous listed suggestion I had, was only to block someone from getting internet. From your origional question it sounded like that was your primary concern, not the overall integrity of your network.
But all the switches would have to be managed. You can block traffic to specific ports, and also control what macs are attatched to what ports. IE, so even a previously accepted machine won't work if they physically move it to another. Unfortuanley if your central backbone is managed but there are other switches daisy chained out from there, you lose managability at that particular port. (IE you can block the internet traffic to that entire segment, but not to specific machines in that segment.) So it may still work depending on your layout.
Re:Cisco also has a box solution called "clean access", its from their acquisition of Perfigo.
Works pretty well and isn't as difficult as a full blown 802.1x implementation.
Re:Originally posted by: guy
It's a very common problem today. People/vendors/consultants just plugging in and wreaking havoc with worms/viruses/tunneling through a firewall etc.
Normally this is stopped with 802.1x as mentioned. It brings the same kind of security that wireless has to the wired world. You must authenticate before you can communicate with anything.Sweet sounds like that will be the right place to start.
Originally posted by: guy
It might help to know what the size of your company is – as the solutions provided might be more applicable to smaller/large environments as appropriate.
300 computers, about 400 users, in 8 locations, all of which connect back to my office through leased lines.
Re:It might help to know what the size of your company is – as the solutions provided might be more applicable to smaller/large environments as appropriate.
Re:It's a very common problem today. People/vendors/consultants just plugging in and wreaking havoc with worms/viruses/tunneling through a firewall etc.
Normally this is stopped with 802.1x as mentioned. It brings the same kind of security that wireless has to the wired world. You must authenticate before you can communicate with anything.
Re:Originally posted by: guy
It sounds to me like you are trying to solve an HR issue with an IT solution. Good luck.
Exactly. I mean, who can just walk into your place and plug in a computer without you knowing? That's not an IT issue at all. Is there anyway someone could get onto the network without your permission (i.e. a college campus)?
Re:guy > No, it's not an HR issue, it's an IT security issue.
I'm probably going to check out the 802.1x (that's EAP isn't it?) and RADIUS. Although does that mean that EVERY switch has to be managed? Or just our central switch (that every computer has to go through to connect to our servers or the internet)? We have almost all Dell switches, but there are some older, cheapo switches in various locations.
Re:I had the same fear here at work, so here's what I did. First I configured the Internet Gateway — the router managing the internet connection — to block all internet access to a set range of IPs. (192.168.x.50 to 192.168.x.100) I then configured the DHCP server (a Win2k machine) to only automatically assign IP addresses to that range. Finally I went through and made a list of every computer that needed internet access, then specified address reservations for each of those computers' MAC addresses that was outside that range. (starting at 192.168.x.11 and going up) Windows Server's DHCP server lets you do this. Now when any new computer connects to the network it's automatically assigned an IP address that has no internet access, but I can remove that block simply by adding a new address reservation.
Also, as a failsafe I set up a proxy on a computer outside the access block using LanSuite 602. There's a free version for up to 5 users, if you're interested. Very cool software.
Re:guy, use managed switches and do this at the switch level. You also probably don't want non-company laptops talking on your LAN. Look at 802.1x and other MAC/RADIUS port access controls.
Re:Well, here is one way you can do it. Assuming you have control over your DHCP server. You can make your pool of available IP's the exact number of devices you have. Then most routers, even the cheap home ones, you can allow NAT for a specific IP range and deny the others. That would more or less stop anyone from hopping onto the Net. It is both easy to do, and requires little adjustment.
Then I would make reservations for all your IP devices in the DHCP reservations lists. (or even make the reservation time very long I suppose, but that can cause other issues)
However, as far as security is concerned, it is still crap. The does not prevent someone from still getting onto your network and being able to transfer information off or out. It just makes it inconvenient. It sounds to me like you are trying to solve an HR issue with an IT solution. Good luck.
0 Comments.