The following is the ITKnowledge Exchange Tip of the Week for Oct. 18, 2004.
Question from member "surfnturf"
Many times an unknown node attaches itself to our internal LAN without the proper controls and then spreads a virus or has malware potential. It is not so much a problem with domain members, but rather at layer 2-3 where the DHCP connection occurs and any machine can access the network. I am trying to find out how best (efficient and cost effective) to control, or at the least be aware of new nodes connecting to a large internal LAN. Restricting new unknown connections can come later. The LAN is made up of several geographic locations, segments and routers and is controlled by different areas. If anyone has a solution, I would really appreciate it.
Several members responded to this question in ITKE. Here is one member's detailed advice.
Response from member "johnnyboyleeds"
If you want to prevent access to your LAN, then 802.1x or a physical padlock on the wall port is really the only way to prevent physical access.
While the idea to limit access on a MAC address level (as posted by another member) is an interesting one, implementing it via DHCP means it is trivial at best to bypass it. I know several mobile users that use static IP addressing.
Disallowing logon to the domain is inadequate as viruses and other malware mentioned in the original question can often spread without domain membership or credentials on the target machine.
Contrary to popular belief, 802.1x was not actually designed for wireless networks and as such, wired network can utilize it. You would need network switch(es) that supports 802.1x such as
and you'd need to do a bit of work on your Windows Servers like installing RADIUS, etc.
Using 802.1x is a secure method to prevent unwanted/unauthorized access. On it's own, it's not totally secure, as a man-in-the-middle attack could be used to break the security and get into the LAN, but this is not an issue as the question was to stop unauthorized PC's from attaching and releasing a malware payload. I don't think we'll see malware doing this kind of attack in the near future.
The other option would be to use VPNs. However, this would require some work on your infrastructure, too. You'd need to put all of the network points on to a network segment(s) that was separated from your main LAN by the VPN server. IP addresses would be freely available on the 'public' segment, but they would have no route to the secured LAN. All Access would be via the VPN. This is where you gain control. Windows 2000 had limited support for quarantining connections via RRAS and Windows 2003 has a much more beefed up version. You can use scripts to detect if the client has up-to-date antivirus/service packs, etc., before allowing the VPN to be completed. If the client is insufficiently secure, it will only give limited access. (You'd probably set it to only give access to the resources required to meet the criteria.)
The reason for separating the 'insecure' wallports from the LAN/VLAN/Switch that the secure LAN runs is to prevent a simple bypass; if all connections on the network were in the same logical LAN, then you would not need a VPN to gain access to the secure subnet, you'd simply change your IP address! So there needs to be some kind of physical barrier and the VPN server would be the link.
Used together, 802.1x would prevent unauthorized connections and the quarantine funtion of RRAS on the VPN gateway would control access dependent upon pre-requisite criteria such as patch level, current AV level etc.
you could use the same VPN/Quarantine to protect your self from infected mobile machines (Dial up, Internet VPN, WLAN), too.
A point I'd like to make is that a lot of firewalls, like the new ISA 2004, allow you to apply rules and filters to a VPN Connection. This means that if a user only needed Terminal server, Web mail, SQL access, or only require access to specific machines, then ISA 2004 could easily be set up as the VPN gateway with these rules. This would drastically limit the attack surface for a virus or malware. By simply filtering out RPC, you would prevent a large proportion of these risks.
The last point worth mentioning is that you cannot rely solely on a single form of protection. YOu should have AV on the desktop, mail filtering, Internet download filtering and if still required, control over connection to the network. Should desktop AV fail, a download or e-mail filter should prevent infection and vice versa. I use GFI Download security at several customer sites for the Internet download filtering and I think it is very good -- I have not found a better product that is so simple to use and configure. I use a selection of mail filtering software, and while I have a personal favorite -- or preferred product, there are many that are adequate so I won't mention product names.
Start your own discussion
Do you you have a Windows security dilemma that needs quick attention? Talk about it in ITKE.
About the ITKnowledge Exchange
ITKnowledge Exchange is a place where IT pros can share ideas, expertise and get answers to their technical and strategic questions. It provides direct access between groups or individuals who are grappling with similar IT issues in a safe and seamless environment. Click to start participating today or go to the Tip of the Week archives.