0

How to prevent any computer that is not joined to the domain from requesting any service from my network? Considering that the computer is on another network.

Alaa AlHafez
  • 11
  • 1
  • 4
  • If the hypothetical attacker is on another network, you should be able to block access with your external firewall. If the hypothetical attacker is on your own network, uh, theoretically I think [IPSec](https://support.microsoft.com/en-nz/help/942957/security-rules-for-windows-firewall-and-for-ipsec-based-connections-in) should be able to do this? – Harry Johnston Jul 18 '18 at 01:44
  • I've recently become familiar with 802.1X. If you have a Cisco infrastructure and Cisco ISE, you can do just what you're describing. ISE can examine the device and see if it has the proper AD certs and if so will let it do whatever you want it to do on the network. Unauthorized uses can be dealt with in a number of ways. – nutcase Aug 08 '19 at 16:08

2 Answers2

1

I guess this is not possible on the TCP/IP level. You could either secure every single service using AD authentication. If a service doesn't support this natively, you can try using a proxy (e.g. SOCKS) that does. Another approach would be on a deeper level, by using 802.1x port-based authentication on the switches. This will require a machine to authenticate itself before the switch "opens" the port. Unauthenticated machines will have no network connection, also no Internet access. It should be possible to use AD as a Backend for authentication. You will also need switches that support 802.1x

Andreas Heinlein
  • 376
  • 3
  • 6
0

The problem is that TCP/IP doesn't identify what AD domain packets are from. To my knowledge there is no firewall on the market that would facilitate creating a rule that says "only allow traffic from sources that are members of the AD domain MYCORP.COM". The firewall would have to have credentials on the source domain and would have to query AD for each new IP address - this would be painfully slow.

What you CAN do is to identify the IP addresses or subnets of authorized users, create a group that contains these users, and create a rule that says "allow machines in this group to access my network". This isn't a trivial task unless you are conversant with TCP/IP and firewalls. My thought is that you should consider hiring a consultant.

nutcase
  • 80
  • 7