6

I recently took over managing my church's IT resources. Previously it was managed by nobody and so was subject to any random person or vendor's half-baked idea for building out the network. Right now we have a wired network and a wireless network on separate partitions; the wireless one is for public use and the wired is for our actual work network.

The biggest problem right now is that anybody with an ethernet cable can plug in to any port and get instant access to our internet connection and any unsecured resources on the network, including printers, non-password-protected shares, domain directory listings, etc. I've tried to look up some information on this but apparently I don't know the right terminology and so haven't found much of anything helpful.

What are my options for locking down our wired network so that users who don't log in to the domain can't access any of these things? (If it's of relevance, our server is running Windows Server 2k3 and does contain an Active Directory controller; our network hardware consists of a set of Cisco switches and a Cisco 881 router, which pumps both the wired and wireless network.)

Ant
  • 163
  • 3
  • 1
    Have a look at 802.1x: http://en.wikipedia.org/wiki/IEEE_802.1X and http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/Sw8021x.html – jwbensley Dec 02 '13 at 13:22
  • based on the comment about virus infections, you may want to look into network access control solutions – Mike Pennington Dec 02 '13 at 14:53
  • Thanks. You three have given me much good stuff to think about. The NAC idea looks really attractive (granted, I haven't seen the prices yet). – Ant Dec 02 '13 at 15:10

2 Answers2

6

There are a couple of options for you, depending on how much money and time you want to invest.

At the complex/high end, you can configure 802.1x authentication so that only domain users can access the wired network. This involves buying/building a radius server, tying that to your domain controller and configuring the switch to query the radius server whenever a port is connected.

I am assuming you have a small network with fewer than 30 users. I also assume that your "office" users don't move around very much (i.e., their computers are on desks).

In this case, a simpler option would be to disable all the unused ports, or configure them for the "guest" network. Either way, a visitor will not get access to your servers. The downside, of course, is that when you have new users, or you move furniture around, you will have to reconfigure those ports. For a small number of infrequent moves, this shouldn't be a burden.

If I may move slightly off-topic, I'm willing to bet your biggest security concern isn't really unprotected ethernet ports. People who attack networks usually do so to steal money, so your efforts should be directed at protecting the church's financial assets. Make sure your online banking is secure and money can't be transferred out without some sort of verification. You might also invest in some anti-malware/spam filtering to reduce the chance of inadvertently downloading software designed to steal bank info.

The case of a person plugging into your network in order to steal something isn't very likely to happen. There are more important threats out there to worry about.

Sorry for the digression.

Ron Trunk
  • 66,852
  • 5
  • 65
  • 126
  • The threat that we've been dealing with honestly has nothing to do with the threat of *people* trying to steal financial data, but rather with volunteers bringing in their own computers, replete with malware and trojans and the like, and plugging in to our network with nothing to stop them from inadvertently infecting other machines. (This scenario plays out with some frequency, to be truthful.) Locking down our network helps stop this because it pushes them to use our own computers, which have all the requisite filtering/antivirus/antispam protections in place. – Ant Dec 02 '13 at 14:02
  • In which case, I think configuring your unused ports to be on the guest network is the simplest, most effective way to go. – Ron Trunk Dec 02 '13 at 14:05
  • 1
    That will definitely be the first step. I may add 802.1X anyway because my experience is that some people won't think twice about unplugging and using another computer's network cable if they're convinced they should have access to our network. – Ant Dec 02 '13 at 14:06
  • 2
    @ant, as an interim measure consider adding port-security to your user ports since it will forbid mac addresses from migrating across ports on the same switch – Mike Pennington Dec 02 '13 at 15:18
  • I would like to add to Ron, if your network is small, you can disable the DHCP Server for the ethernet ports, and only enable it for the Wireless .. And any PC within your network, you can set an IP Statically on it. You can do this in case you don't want to spend. – sikas Dec 02 '13 at 21:55
0

Besides the already mentioned .1x & port security features mentioned. Another quick solution would be to assign all unused ports to a blackhole/dummy vlan & shut them down.

LucentMoon
  • 293
  • 2
  • 6