Re: Unauthorized workstation connections to network...
From: Mark Gamache (mark.gamache_at_css-security.com)
Date: 02/07/05
- Previous message: Steven L Umbach: "Re: SSLinstall problem"
- In reply to: Mark Gamache: "Re: Unauthorized workstation connections to network..."
- Next in thread: Steve Clark [MSFT]: "Re: Unauthorized workstation connections to network..."
- Reply: Steve Clark [MSFT]: "Re: Unauthorized workstation connections to network..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 7 Feb 2005 14:16:24 -0800
I have to take issue with the 802.1X bashing.
First of all, the writer was asking specifically about keeping connections
off of the network. IPSec doesn't do that, not even a little. IPSec is
fantastic and if I were planning infrastructure from the ground up, I'd use
it and 802.1X. With IPSec, an attacker still has layer 2 access and can
perform arp redirection and thus sniff Kerberos and NTLM authentication to
harvest weak passwords. If your IPSec policy is based on PKI, obviously
there is no option for that.
Second, there is only one documented attack against 802.1X which requires
the person being attacked to not notice a hub that has been added under
their desk or the DoS when that attacker clones their MAC and uses their
session.
I would appreciate any comments on this (from you MS folks especially). I
think understanding the limitations and overall scope of a technology
solution is important. It seems that the debate is often framed as IPSec
vs. 802.1X, which I think is unfair to both technologies. Assuming that an
organizations networking gear is semi-up-to-date, its likely they already
have everything they need to implement 802.1X. The MS whitepaper on wired
802.1X makes a compelling case.
Cheers,
-- Mark Gamache Certified Security Solutions http://www.css-security.com "Mark Gamache" <mark.gamache@css-security.com> wrote in message news:%23Wn7iexCFHA.328@tk2msftngp13.phx.gbl... >I hate to contradict Stuart's post, but IPSec will not keep unauthorized >connections off of your network. IPSec protects communications with >authentication and encryption. It is a fantastic protocol, however it has >no control over network port access. With IPSec running, an unauthorized >machine can still connect to and use your IP infrastructure. > > Additionally, IPSec is a bit more difficult that the link suggests. You > will need to make exceptions for Domain controllers, DNS server and DHCP > servers. If you have a lab and are willing to take the time, its not > overly complex, but there are quite a few little gotchas. > > 802.1X on the other hand blocks traffic from crossing a port until the > connected user or machine is authenticated. It however provides no > encryption. > > Cheers, > > > -- > Mark Gamache > Certified Security Solutions > http://www.css-security.com > > > > "Stuart Mackie [MCSE MCSA]" <newsgroups@--REMOVE_THIS-NO_SPAM--stu.uk.com> > wrote in message news:uKYSLwwCFHA.3376@TK2MSFTNGP12.phx.gbl... >> Hi Gary. You could implementing IPSec so that only authenticated >> workstations & servers could communicate. Since your in a domain >> environment IPSec with Kerberos would be the best combination, although >> you could use Certificates as well if required. Some IPSec deployment >> guides can be found on http://www.microsoft.com/ipsec. IPSec is quite >> straight forward to implement, the link below is a step by step guide for >> implementing IPSec on Windows 2000 >> >> http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp >> >> You should also make sure an acceptable use policy is made available to >> pupils, employees etc and they are aware of the consequences if they are >> broken. >> >> -- >> Hth, >> Stuart Mackie >> www.stu.uk.com >> MCSE: Sec MCSA: Sec >> >> >> >> "Mark Gamache" <mark.gamache@css-security.com> wrote in message >> news:%234uMIvvCFHA.868@TK2MSFTNGP10.phx.gbl... >>> only a technology like 802.1X can keep unauthorized connections off of >>> the network. It requires a switch that is compliant and an IAS server. >>> >>> >>> Cheers, >>> >>> -- >>> Mark Gamache >>> Certified Security Solutions >>> http://www.css-security.com >>> >>> >>> >>> "GaryH" <hornbeck@siskiyous.edu> wrote in message >>> news:uRfOrSvCFHA.2600@TK2MSFTNGP09.phx.gbl... >>>> Hello all, >>>> From time to time we see workstation connections to the network that >>>> are not >>>> joined to the domain. Does anyone know how these machines can be >>>> bumped off >>>> the network? >>>> Thanks, >>>> Gary >>>> >>>> >>> >>> >> >> > >
- Previous message: Steven L Umbach: "Re: SSLinstall problem"
- In reply to: Mark Gamache: "Re: Unauthorized workstation connections to network..."
- Next in thread: Steve Clark [MSFT]: "Re: Unauthorized workstation connections to network..."
- Reply: Steve Clark [MSFT]: "Re: Unauthorized workstation connections to network..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
Loading
