Hi geeks!

Wonder if someone can help with this networking question.
At my work, we are searching the best security practice to stop anyone from connecting his computer to the network unless it meets certain security measures (has patchlink installed – Corporate Virus scanner – etc.). We get visitors to our place frequently and we want to ensure that no computer will be able to connect to the network unless it’s scanned and patched.

Is there is any SW/HW solutions out there that can assure this?

If I'm posting my question at the wrong place, please advice.

Any thoughts? Let me know if any additional info will help.

Thanks and happy Holidays!

mharoun

Report this post to a moderator

Most of my clients have Network Usage policies.
These cover how they use the network and how they use the internet, plus their responsibilities in regard to software. First and foremost is that they run an approved AV program - in our case Norton AV.
Next is that if they use the internet they have their machines checked regularly for spyware. After that every program on a users machine must be submitted for approval by the clients IT support person. Chat and file swapping programs are not permitted.

As far as methods to keep people off a company network - running Novell servers and IPX works a treat ;-)
On a small network having static IP numbers and a range other than 192.168 also helps. Another trick is only patching ports that have authorised machines on them - that stops a user just plugging into any wall port they see.

__________________
Go hard or go home!

Report this post to a moderator

Hi,
Depending on what type of routers/switches you have you can do MAC filtering to only allow the MAC addresses you specify to access your network. You can even do it down to each individual port (read network jack in the building) with Cisco and Foundry products (probably others). Your local CCNA should be able to take care of that for you.

That will stop anyone you don’t want to from accessing your network. Now, to allow people access; they can visit your IT department or helpdesk, the helpdesk can verify the appropriate patch levels and software is installed, note the MAC address of the computer and then your "router guy" can add their MAC to the allowed table of MAC addresses. This may or may not be feasible with your network size but we do it at work on a network of several thousand computers.

Another option is DCHP MAC address reservations on your DHCP server. That way only authorized mac addresses will get DHCP in the first place.

Chris Gates
Learn Security Online, Inc.
Email: chris[at]learnsecurityo
nline[dot]com
Web: http//www.learnsecurityonline.com

Last edited by chrisgates on 12-30-04 at 04:18 PM

Report this post to a moderator

802.1x has the capabilities that you are looking for. Part of the concepts of 802.1x is Network Admission Control which can be used to verify patch levels, anti-virus software status, etc. Here is a link to get you started.

http://makeashorterlink.com/?H4692205A

Zac

Report this post to a moderator

Thats a difficult senario my friend. I think that what ur asking is really not applicable. Its hard to scan and to patch unknown PCs that are connecting to your network. I can also see that your security policy is very loose if this is what your company is doing right now. 802.1x is good but usually implemented in a wireless environment. To utilize 802.1x properly, you need to have a authentication server. What I can suggest is to try to edit your security policy to get what you want to achieve.

Report this post to a moderator