http://www.packetfence.org/
--- Jesse Rink <jesse-rink@wi.rr.com> wrote:
Hello all.
I was hoping for some feedback on some improvement
I'm hoping to make at a
couple of clients as it relates to their wired
network.
A bit of a background...
I do support for several K12 school districts.
This, by its nature, changes
the typical way security needs to be planned for and
implemented. Obviously
the biggest change is the mindset that the biggest
security threat comes
from the inside as opposed to coming from the
outside.
In particular I am looking at ways to minimize the
potential of being
exposed when it comes to students having
accessibility to the physical
network when they bring in their own laptops. Some
schools I do work for
have a policy in place that restricts students/staff
from bringing in
laptops. Some schools I do work for have a policy
which allows
students/staff to bring in laptops.
The concern I am looking to address is finding a
method to prevent
students/staff from bringing in their laptop,
plugging it into an active
port and getting on the network. My concern is, a
user who brings in a
non-controlled device will have the ability to run
whatever hacking/cracking
tools they want, man in the middle attacks, etc. My
experience with these
tools tells me I only need 5 minutes at the most to
start getting usernames
and passwords from Kerberos hashes - I've done it
and it was surprisingly
easy. At that time, I can take my laptop offline,
go home, and crack
passwords easily enough. I have spoken at length
with Aaron Royhans about
this (he is a member on this mailing list) and we
have come up with the same
summation for the most part so I feel as if I'm on
the right track at least.
The following 5 methods are, as far as I see it, the
potential options I
have:
1. Lockdown switchports by individual MAC addresses
2. Implementing IPSec
3. 802.1x on the Wired network
4. A NAC device (HP, Cisco, etc.)
5. MAC Authentication via RADIUS
I have put together a small spreadsheet detailing
what I see, in MY
environments, as pros and cons of each method. Pros
and Cons include
everything from how effective the solution is, to
cost involved, to time
involved, to ease of installation and continued
support thereafter, etc.
I need to implement something for approximately
wired 500-900 computers
depending on the size of the client. Costs need to
be kept low. Time
investment needs to be kept low. Those are the main
priorities, however,
I'm considering all options and avenues.
As of now, I am leaning towards MAC Authentication
via a RADIUS server,
followed by IPSec. Ideally, I would like to
implement both options in
tandem to compliment each other. MAC Authentication
via RADIUS to keep them
off the network, IPSec to keep the communications
secure.
I believe MAC Authentication via RADIUS is an ideal
choice for us because it
seems like it would be the easiest of the methods to
implement with minimal
amount of configuration required and overhead.
Setup the ports on the
switches, add the MAC addresses to Active Directory,
configure my IAS Server
and that's pretty much a wrap. We pretty much
effectively limit port-access
to the network unless that MAC can be authenticated.
Yes, I realize MACs
can be spoofed, but, a student would first have to
KNOW the reason they're
being prevented access to the network is because of
MAC based
authentication. I think it's a stretch to think a
student would guess that.
Possible - sure.
IPSec seems like a good option as well, but it
doesn't prevent physical
access to the network at all. It merely requires
that both parties, client
and server, communicate securely. If one doesn't,
then there's no access.
I am still a bit concerned that "man in the middle
attacks" could
potentially happen even with IPSec however based on
what I've read...
I have a lot of experience with 802.1x in a wireless
environment and it
works great. In a wired environment, I think it can
add a LOT of
complexities I'm not ready to tackle, especially
when it comes to imaging,
and clients/OS's that don't have a supplicant. It's
also a complete PITA to
get up and running, test fully, etc. So I think
while, it's a lot better
option than MAC Authentication via RADIUS as far as
security is concerned, I
personally feel the rewards are outweighed by the
additional
cost/setup/testing to get a fully wired 802.1x
infrastructure in place.
A NAC device seems like a nice option. But cost can
be outstanding. I'm
currently evaluating an HP NAC 800. Seems to do
everything I'd want, but
again, cost... cost... cost. Especially when you
add in the appropriate
licensing required on the clients. Likely would be
over $20,000 or more.
If you want to shed your $.02 on this, feel free. I
ask however that you
first go to http://www.w3si.org/securitymethods.xls
and view the spreadsheet
I put together with pros/cons. Again, this is based
on MY environments so
it may not coincide with environments you've seen in
your travels.
Thanks for reading.
Jesse
