Prevent unauthorized users from gaining network access?

security networking active-directory dhcp

Just curious: How do people "lock down" their network to prevent unauthorized devices from gaining network access?

Is it different in a DHCP vs. static IP network?

What about Windows AD managed?

Edit: I'm not trying to prevent anything per se. Just curious how a "secure" network should be implemented


Solution 1:

Implement 802.1x authentication on your network, and/or disable all your unused switch ports.

DHCP, Static IPs, and AD have very little to do with your security from an outsider trying to gain access.

If you don't want to flat out disable the ports I'd suggest putting all "extra" switch ports in a VLAN that has its own DHCP server and doesn't route to anything else on your network. Then monitor that DHCP server for any leases and track down where people are randomly plugging in. If you really want you could setup a captive portal on that VLAN explaining why they aren't able to browse the internet.

Solution 2:

Secure from what? Locked down to prevent what?

  • What is the proposed threat that you're trying to mitigate against?
  • How much can your theoretical legitimate users be inconvenienced in the aim of security?
  • kinda linked to the previous point) what is the value of the stuff being protected
  • what is the cost / consequences of a breach? Will people die? Will businesses go bankrupt?

I'm not being pedantic by the way, these are just some of the questions you must answer before you can begin locking anything down. The security needed to keep my employer's data safe is different from that needed to keep a bank safe, or to protect sensitive data relating to military deployments, for example.

I can tell you that to prevent users casually connecting to a network whose security I care about to some degree I might implement 802.1x security, but depending on their answers to the questions above I might need to do a lot more than that. Or a bit less.

Solution 3:

Windows Domain Isolation will isolate your windows nodes with IPSEC - preventing access to them from anyone connecting to the network that's not part of the domain.

By also requiring user/personal authentication or simply domain membership to get pass any firewalls - you've further restricted what a plugger-in can do.

There're bound to be vulnerable nodes though - like printers on the printer network, where physical security will still be important for preventing someone from just plugging in.

Simply segmenting the network as much as possible will also help making it more robust.

In combination with 802.1x though you'd get something fairly decent, though 802.1x is sadly not bullet-proof in its wired form.

As usual with security; depth and many layers is the way to go.

Solution 4:

All the DHCP based, MAC based, and IP based access control solutions can be easily defeated by spoofing them, and hence are least effective.

Creating VLANs is cheap method to limit the network access. It has its own limitations and weaknesses.

802.1x authentication is a switch based port control method and will work for small organizations most of the time. It would however fail in cases where a person starts using say a printer switch port, which is generally left open.

In the last few years a new kind of appliances/devices/solutions have come to the market, which implement NAC (Network Access Control), and some of them do use 802.1x. These devices/solutions require a user to authenticate and also limits the access of the users to only resources that are required to do their daily job. A printer would not say get SSH access to a server. Therefore, printer's port is of less value to a user now.

Solution 5:

AD management has very little to do with preventing network access. It controls who can log into resources, if they're managed by AD, but it won't stop a device from connecting to your network. Neither will using DHCP or static IPs, unless you're also doing filtering based on ethernet MAC addresses.

Can you explain more thoroughly the kind of access you're trying to prevent? This question is pretty broad in scope, and could take years to cover thoroughly. ;)

Related

Where can I find a visual traceroute utility for Window?
Can we use an observer on the attach method in Laravel?
Changing width of bars in bar chart created using seaborn.factorplot
How to convert european date format to Date Object in react native and/or javascript?
"Unhandled Error" message while setting up server through http module in node js
Removing link from product thumbnail on cart page
2 questions.. first is i want the text to change in condition and the other is the button cant be click if meet the condition
Returning multiple rows from a PL/SQL Function [duplicate]
How to break a function to a specific spot after a failed test
How do you apply a shift to a Julia Dataframe?
Generic UIView Initializer with closure in swift
How to find the value of bool