Another interesting idea that is becoming popular is a process called
end-point security. End-point security is kind of a vague term that implies
the end-point (or host) needs to conform to a certain policy in order to be
allowed network resources. Basically so far it boils down to some method of
quarantining devices until they pass a battery of tests. After a device
passes the test it is allowed access. There are quite a few commercial
products and free software that follows the end-point security model. Off
the top of my head I can think of:
Cisco NAC (1)
Microsoft NAP (Might not be released yet, maybe in Longhorn??) (2)
Microsoft NAQC (Available in Windows 2003 server) (2)
Perfigo CleanMachines (Bought by Cisco but is different than NAC) (3)
StillSecure SafeAccess (4)
802.1x (Free) (5)
NetReg (Free) (6)
These products implement end-point security in different ways. Some will
setup a quarantine DHCP scope that will host the devices until they are
compliant then allow the device to obtain a real lease. Of course DHCP
quarantining can be defeated with static IP addresses but it would stop the
honest user infected with worms etc... The other main method of
quarantining is to utilize either VLANS or private VLANS on switches to
segregate the end-point device until it is tested and compliant. Then the
end-point device will be moved into the proper VLAN. This method is more
secure in regards to trying to circumvent the quarantining process but it is
much more involved to implement. Another method which is a little different
than the other two is more of a "Scan and Block" method. This is a device
that is inline between the assets you want to protect and the devices you
want to screen. A device cannot pass the inline device until it is
compliant. 802.1x is a standard of authentication network connections via
EAP over Ethernet which is not a quarantining method per se but it would
prevent anyone from connecting to your LAN that does not have a password and
username....
I hope this answers what I think is your issue problem of "How do I protect
my internal assets from devices that might be "unclean" on my internal
networks?"
On 1/21/05 7:33 AM, "Shawn Wall" <sjwall (at) shaw (dot) ca [email concealed]> wrote:
> You could reserve every IP address on you DHCP server with MAC addresses
> from you known user base. A pain in the hump for sure. If you have network
> switches capable of L2 security you could lock down the ports to prevent
> unauthorized MAC addresses from connecting to the network to begin with.
>
> HTH
>
> -----Original Message-----
> From: Paul Aviles [mailto:paviles (at) adjoined (dot) com [email concealed]]
> Sent: Wednesday, January 19, 2005 3:30 PM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: Dhcp security
>
> I have a weird question maybe. Is there a way to prevent our DHCP from
> giving leases to computers not in our domain? I don't want anyone that walks
> in to just connect and have the possibility of a network viruses getting
> loose. Is this possible?
>
> My setup is a typical AD 2K environment, simple domain no empty root.
>
> Thanks
>
> Paul
Another interesting idea that is becoming popular is a process called
end-point security. End-point security is kind of a vague term that implies
the end-point (or host) needs to conform to a certain policy in order to be
allowed network resources. Basically so far it boils down to some method of
quarantining devices until they pass a battery of tests. After a device
passes the test it is allowed access. There are quite a few commercial
products and free software that follows the end-point security model. Off
the top of my head I can think of:
Cisco NAC (1)
Microsoft NAP (Might not be released yet, maybe in Longhorn??) (2)
Microsoft NAQC (Available in Windows 2003 server) (2)
Perfigo CleanMachines (Bought by Cisco but is different than NAC) (3)
StillSecure SafeAccess (4)
802.1x (Free) (5)
NetReg (Free) (6)
These products implement end-point security in different ways. Some will
setup a quarantine DHCP scope that will host the devices until they are
compliant then allow the device to obtain a real lease. Of course DHCP
quarantining can be defeated with static IP addresses but it would stop the
honest user infected with worms etc... The other main method of
quarantining is to utilize either VLANS or private VLANS on switches to
segregate the end-point device until it is tested and compliant. Then the
end-point device will be moved into the proper VLAN. This method is more
secure in regards to trying to circumvent the quarantining process but it is
much more involved to implement. Another method which is a little different
than the other two is more of a "Scan and Block" method. This is a device
that is inline between the assets you want to protect and the devices you
want to screen. A device cannot pass the inline device until it is
compliant. 802.1x is a standard of authentication network connections via
EAP over Ethernet which is not a quarantining method per se but it would
prevent anyone from connecting to your LAN that does not have a password and
username....
I hope this answers what I think is your issue problem of "How do I protect
my internal assets from devices that might be "unclean" on my internal
networks?"
1)http://www.cisco.com/en/US/netsol/ns466/networking_solutions_sub_solut
ion_
home.html
2)http://www.microsoft.com/windowsserver2003/technologies/networking/nap
/def
ault.mspx
3)http://www.perfigo.com/products/index.html
4)http://www.stillsecure.com/products/sa/
5)http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/
8021
xclient.asp
6)http://www.netreg.com
Blabbing on and on....
--
Cory Stoker
On 1/21/05 7:33 AM, "Shawn Wall" <sjwall (at) shaw (dot) ca [email concealed]> wrote:
> You could reserve every IP address on you DHCP server with MAC addresses
> from you known user base. A pain in the hump for sure. If you have network
> switches capable of L2 security you could lock down the ports to prevent
> unauthorized MAC addresses from connecting to the network to begin with.
>
> HTH
>
> -----Original Message-----
> From: Paul Aviles [mailto:paviles (at) adjoined (dot) com [email concealed]]
> Sent: Wednesday, January 19, 2005 3:30 PM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: Dhcp security
>
> I have a weird question maybe. Is there a way to prevent our DHCP from
> giving leases to computers not in our domain? I don't want anyone that walks
> in to just connect and have the possibility of a network viruses getting
> loose. Is this possible?
>
> My setup is a typical AD 2K environment, simple domain no empty root.
>
> Thanks
>
> Paul
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]