4

We recently had an issue where a user brought their laptop in from home and plugged it into the network, attempting to get internet access. I know on a port level I could setup MAC restrictions, but I was wondering if there was a way that I could prevent a non-compliant machine from even getting access to our network in the future? We currently run all Windows 7 client machines and I'd like to simply tell it "if not Windows 7, no access", but not sure exactly how to go about that. We are running an AD environment, 2008 and above Windows Servers.

I thought maybe NAP would work, and it appears to have a setting for WinXP (and one for Win7), but it allows me to disallow/allow access based on if it is up to date, if virus protection is on, etc, not if it's Windows XP itself. Is there a way that I could disable anything but what I specify from getting access to the network like this?

Thanks in advance for your help!

Don
  • 838
  • 8
  • 18
  • 33
  • 2
    You need 802.1x to do this right, and this is going to be a major overhaul.... – Michael Hampton Sep 09 '13 at 19:31
  • 1
    Agree with the 802.1X. Some switches also allow for quick mac-learning on a port level and lock down to the first x number of macs (you can set it to 1 for instance on desktop ports). This could be a simple (albeit frustrating at times) way to lock it down, along with disabling ports not in use. – TheCleaner Sep 09 '13 at 19:37
  • 2
    BTW, things like "We recently had an issue where a user brought their laptop in from home and plugged it into the network, attempting to get internet access." while not necessarily prevented by a corporate policy should be in a corporate policy if you plan on enforcing it at any level. – TheCleaner Sep 09 '13 at 19:46
  • Oh I totally agree, TheCleaner, but since I can't/don't control all of the managerial and disciplinary issues, all I can do is try to keep my side as tight as possible in case it happens again. :) I'm with you though. – Don Sep 09 '13 at 19:55
  • Thanks for the suggestion of 802.1x, I'll do some research into that as well. I wasn't sure if there was something available at the server or OS level but thought it was worth checking into as it sounded like something NAP would do (but didn't!). – Don Sep 09 '13 at 19:57
  • You might be able to use OS fingerprinting in the firewall. It depends what sort of firewall you have and if it supports it. – hookenz Sep 12 '13 at 23:39

4 Answers4

3

The credit should go to those who mentioned it above, but 802.1X is the way to control this type of behavior. There is a lot more involved than I have direct experience with, but I use a RADIUS server at home for authentication on my wireless network. With pfsense, it was easy to setup.

codewise
  • 165
  • 1
  • 9
1

MAC authentication is the weakest type of authentication, MAC addresses can be spoofed in seconds granting full access to the network, all the user has to do is find out the MAC address of his laptop and spoof it on his personal laptop and he has full access to the corporate network.

You should use 802.1x to stop this, where I work we deployed it with Cisco switches and Windows NPS server, only devices that are part of the domain get access to the network. We also used certificates with it.

However locking a port down by MAC addresses along side the 802.1x is also a good idea to prevent MAC flooding attack. We've locked ports down to 8 MAC addresses to mitigate risk of MAC flooding attack.

Adam
  • 11
  • 1
0

Firstly, make sure you disable all network ports that don't need to be used.

And now onto another alternative which won't work for you but for people out there to think about. Passive OS fingerprinting may work for someone wanting a solution to this problem but they perhaps want to block non-windows users, or have a LAN of MAC computers and want to block anything else.

I'm going to throw it in there as a possible solution that may be suitable for some situations. I still think something like 802.1X is a more robust option though.

It doesn't work because as far as I can tell you can't filter with osf with Windows:xp or something... or can you? I can't tell without trying it.

But suppose you just wanted to allow only windows machines.

1) Create a linux bridge. http://bwachter.lart.info/linux/bridges.html

2) Load the passive os fingerprint module and use rules like:

iptables -I INPUT -p tcp -m physdev --physdev-in eth0 -m osf --genre Windows --ttl 0 -j ACCEPT

Read more: How to block/allow packets sent by specific Operating System with iptables?

This bridge machine then gets inserted between your network and the router. If you already have a Linux router on the network that you use as your firewall/gateway you could simply add the osf module rules to iptables.

Unfortunately, since OS fingerprinting it's based on how an OS sets the initial TTL, window size and a few other bits and pieces in TCP SYN packets, it'll only work with TCP. Also, it can be defeated. So it's not entirely secure.

hookenz
  • 14,132
  • 22
  • 86
  • 142
-1

I would setup MAC filtering, as this is the most secure route, and you can be sure that you are catching everything. Why do you not want to setup a MAC filter?