Q

Secure network against illegal users

Phifer gives advice on how to handle illegal users on a network.

We run NT servers with Windows 2000 workstations. We're having a problem with users illegally putting laptops on our network. We find their MAC addresses from our DHCP Manager. How can we block certain MAC addresses from accessing our network?
If you use managed Ethernet switches, you may be able to configure switch ports to bind them to known, authorized MAC addresses. This method is simple but does not scale well and can be defeated by MAC spoofing (users changing their laptop MAC address).

Your DHCP manager may support MAC Address Access Control Lists, giving out IP addresses to known, authorized MACs while denying requests from everyone else. This method is slightly more scalable -- the same ACL works no matter which switch port or AP a given laptop is using. However, it is still vulnerable to MAC spoofing.

Many new Ethernet switches and wireless APs support 802.1X Port Access Control. 802.1X is designed to overcome MAC spoofing by dynamically enabling/disabling a LAN port based on something more than MAC address. Specifically, the wired or wireless laptop will be challenged for credentials and must authenticate before network access is granted. To use 802.1X, you will need an Authentication Server that supports 802.1X, but you can probably run that on one of your NT servers and leverage your Windows workgroup and domain to authenticate LAN users. To learn about 802.1X, check out searchNetworking's Wireless Lunchtime Learning Access Control lesson.

Finally, you can also control access to your NT servers at a higher layer. For example, you could put a small business firewall between the servers and all LAN stations, requiring users to log in at the firewall to gain access to the server subnet. Or you could require domain login when workstations access individual applications and shared files/printers offered by your NT servers. Ideally, you should consider creating a layered defense by controlling access to both your LAN and your network/applications.

This was first published in August 2006

Dig deeper on WLAN Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close