[ale] OT: laptops on a network, security

Transam bob at verysecurelinux.com
Thu May 29 23:18:42 EDT 2003 

On Wed, May 28, 2003 at 09:56:04PM -0600, Chris Ricker wrote:
> On Wed, 28 May 2003, J.M. Taylor wrote:

> > Hypothetical situation: you are a fair-to-middlin' sized university, and
> > people (students, faculty, staff, spouses, riff-raff) want to bring their
> > laptops in and plug in to your network.  Your draconian laws prohibit this
> > but it's becoming increasingly obvious that people are doing it anyway,
> > and you can't hide from the issue forever.

> > What do you do?  Could something like RADIUS be used to authenticate
> > mobile users and only grant those with valid accounts an IP address?  What
> > about people who just assign themselves an IP? How does one stop that?

Worthless.  If someone has an accountant on a school system, he can use
the same authentication for his laptop and he can pick a MAC address and
IP of a school computer that has been turned off.

> > I know there are a ton of security issues involved here, and of course I'm
> > looking for a solution that protects both our network and our mobile
> > users. One of my biggest concerns is that these are machines completely
> > out of our control, how do I mitigate the potential horrible evil of that?

1. People connecting unauthorized equipment get fired or expelled as
   surely as if they give the combination to the office safe or entry
   lock to unauthorized people.  It's the same, really.

2. Recognize that if an ordinary switch is used, it doesn't matter what
   your firewall does because there's only the switch between the
   unauthorized laptop and vulnerable systems.

3. U of U's VLAN for each system is an excellent system that solves most
   attacks, deliberate or not.

4. Remember that it is trivial to spoof someone else's IP address or MAC
   address.

> > I'm fishing here, would be especially interested to know what GA Tech,
> > Emory,  Kennesaw, and others are doing because as a school we're going to
> > have to follow different rules than a corporation, but I'm interested to
> > hear from anybody with experience doing this kind of thing.

> If I remember the implementation right, what the University of Utah (~30,000
> students, public 10/100 ports all over campus) is something like this:

> * all ports are locked down on the switch. DHCP requests are assigned a
>   random non-routed address in its own VLAN. Only HTTP GET is processed, and
>   it always returns a web-based RADIUS login page
> * When you plug into a port, you get a DHCP lease, then fire up your web
>   browser and log in on that web page with your campus-wide account
> * once authenticated, the ACLs on the port you're using on the switch get
>   changed. You get a new DHCP lease, this time for a random IP address in a
>   routed VLAN. When you unplug from the port, the switch resets to the
>   locked-down ACLs....

> Their particular implementation is fairly dependent upon their switch
> vendor's (Cisco) feature set, but similar things are possible with many
> higher-end switches.

> later,
> chris

Bob Toxen
bob at verysecurelinux.com               [Please use for email to me]
http://www.verysecurelinux.com        [Network&Linux/Unix security consulting]
http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.

"Microsoft: Unsafe at any clock speed!"
   -- Bob Toxen 10/03/2002
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list