Blocking unauthorised access to network

Discussion in 'Windows Server' started by Peter, Feb 23, 2005.

  1. Peter

    Peter Guest

    I have an academic network and i would like to stop users bringing in devices
    and connecting to my network allowing them to browse the network and also
    surf the web.
    Is there any way with DHCP or some other utility i can control who receives
    access to my systems either by IP address or some other method.

    Any help in this matter will be gratefully received

    Regards

    Peter
     
    Peter, Feb 23, 2005
    #1
    1. Advertisements

  2. Peter

    Mark Gamache Guest

    There are two common ways of doing this in the Windows world. I'll skip the
    really neat opensource solutions seeing how you are posting in an MS news
    group.

    The first solution is to create IPSec policies that force users to
    authenticate all connections on your network. By blocking access to the net
    with an ISA server that only allows authenticated connections, you keep the
    unauthenticated users out. This works well in a homogenous Microsoft
    network, but you may have some problems with Linux, UNIX and Macs. Assuming
    you work out all the minor kinks with other OSes, it secures your server etc
    and access out to the net. However, it doesn't actually keep people off of
    your network. It just keeps them from doing much with it. Two unauthorized
    users can still connect, get IP addresses and communicate with each other as
    well as gather information about your network.

    The second solution is 802.1X. It provides authentication of the
    connection, but no encryption of the content crossing the network. It keeps
    a connection from even getting an IP address or seeing the network until
    after the user or computer has been authenticated. This solution requires
    supplicant software on each workstation. This is includes in XP and win
    2000 SP4. Additionally your switches have to support 802.1X. However, many
    switches that are already in place support it.

    Either technology will get you well on your way to achieving your goal. In
    a perfect world, I'd recommend both.

    Cheers,
     
    Mark Gamache, Feb 23, 2005
    #2
    1. Advertisements

  3. Peter

    Matt Gibson Guest

    It depends.

    You could use MAC address filtering, but that's trivial to get around.

    You'd probably have to use client certificates which were tied to legit
    workstations, but that's a daunting task to set up correctly.

    Matt Gibson - GSEC
     
    Matt Gibson, Feb 23, 2005
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.