Network security

TheMSsForum.com: The Microsoft Software Forum

Here's my situation.

In normal operation, my windows network resides behind a reasnably robust
firewall. I use static IP addresses throughout my organization for an extra
layer of security (no DHCP clients). In addition, I have employed standard
windows best practices for security throughout my organization. Because of a
special event being held on Tuesday and Wednesday of this week I have been
forced to activate a DHCP server and allow people to use my network for
Internet connectivity.

Is there any way that I can authorize the DHCP server to distribute DHCP
addresses and then block those addresses from being able to access any of my
network resources (outside of the firewall/router)? I'm sure it goes without
saying that the information on my network is highly confidential.

Basically, here's what I need:

Maintain the current network topography (no time to implement new
routers/etc...)
Assign addresses through DHCP to random computers attaching directly to my
network.
Block those Addresses from access to all network resources except the
internet/router.

Any help you can provide will be greatly appreciated.

By the way, I do have a reasonable understanding of technical items (MCSE
NT4), but I'm relatively new to the Windows 2000/AD world.

Chris Guynn
Top

Re: Network security by Mostly

Mostly
Mon May 21 13:33:10 CDT 2007

Chris Guynn wrote:
> Here's my situation.
>
> In normal operation, my windows network resides behind a reasnably robust
> firewall. I use static IP addresses throughout my organization for an extra
> layer of security (no DHCP clients). In addition, I have employed standard
> windows best practices for security throughout my organization. Because of a
> special event being held on Tuesday and Wednesday of this week I have been
> forced to activate a DHCP server and allow people to use my network for
> Internet connectivity.
>
> Is there any way that I can authorize the DHCP server to distribute DHCP
> addresses and then block those addresses from being able to access any of my
> network resources (outside of the firewall/router)? I'm sure it goes without
> saying that the information on my network is highly confidential.
>
> Basically, here's what I need:
>
> Maintain the current network topography (no time to implement new
> routers/etc...)
> Assign addresses through DHCP to random computers attaching directly to my
> network.
> Block those Addresses from access to all network resources except the
> internet/router.
>
> Any help you can provide will be greatly appreciated.
>
> By the way, I do have a reasonable understanding of technical items (MCSE
> NT4), but I'm relatively new to the Windows 2000/AD world.
>
> Chris Guynn

Do you have VLAN capable switches?
What kind of firewall do you use?
Top

Re: Network security by ChrisGuynn

ChrisGuynn
Mon May 21 15:28:02 CDT 2007

> Do you have VLAN capable switches?

No.

> What kind of firewall do you use?

They'll be on the network side of the firewall, so it shouldn't matter,
should it?
Top

Re: Network security by Mostly

Mostly
Mon May 21 15:43:53 CDT 2007

Chris Guynn wrote:
>> Do you have VLAN capable switches?
>
> No.
>
>> What kind of firewall do you use?
>
> They'll be on the network side of the firewall, so it shouldn't matter,
> should it?

I was wondering if there was some small chance you had a DMZ or a
firewall capable of 802.1q
Top

Re: Network security by Mostly

Mostly
Mon May 21 15:45:32 CDT 2007

Chris Guynn wrote:
>> Do you have VLAN capable switches?
>
> No.
>
>> What kind of firewall do you use?
>
> They'll be on the network side of the firewall, so it shouldn't matter,
> should it?

I was wondering if there was some small chance you had a DMZ or a
firewall capable of 802.1q
Top

Re: Network security by S

S
Tue May 22 04:05:31 CDT 2007

If you're employing Windows "best practices" of any kind then don't worry
about those guest PCs - their users cannot access any resources on your
network because they have to authenticate and be authorised for the access.

Static IP address allocation is not a valid security measure. Nor is any
DHCP-based solution.

What you can do is to be creative with routing - DHCP server can change
routing table on the client. That potentially can limit connectivity to a
single host - your Web access gateway, for example. But it's a minor
inconvenience for a determined hacker.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Chris Guynn" <ChrisGuynn@discussions.microsoft.com> wrote in message
news:729B2155-07B8-42EE-96DF-9C1EAAA962E8@microsoft.com...
> Here's my situation.
>
> In normal operation, my windows network resides behind a reasnably robust
> firewall. I use static IP addresses throughout my organization for an
> extra
> layer of security (no DHCP clients). In addition, I have employed
> standard
> windows best practices for security throughout my organization. Because
> of a
> special event being held on Tuesday and Wednesday of this week I have been
> forced to activate a DHCP server and allow people to use my network for
> Internet connectivity.
>
> Is there any way that I can authorize the DHCP server to distribute DHCP
> addresses and then block those addresses from being able to access any of
> my
> network resources (outside of the firewall/router)? I'm sure it goes
> without
> saying that the information on my network is highly confidential.
>
> Basically, here's what I need:
>
> Maintain the current network topography (no time to implement new
> routers/etc...)
> Assign addresses through DHCP to random computers attaching directly to my
> network.
> Block those Addresses from access to all network resources except the
> internet/router.
>
> Any help you can provide will be greatly appreciated.
>
> By the way, I do have a reasonable understanding of technical items (MCSE
> NT4), but I'm relatively new to the Windows 2000/AD world.
>
> Chris Guynn


Top

Re: Network security by Ian

Ian
Wed May 23 01:59:00 CDT 2007

"S. Pidgorny <MVP>" wrote:

> If you're employing Windows "best practices" of any kind then don't worry
> about those guest PCs

Nothing in those practices will protect against buffer-overflow
vulnerabilities.

The best arrangement is a double-NAT connection, that is, route your
Internet feed through two 'cascaded' NAT routers, connect the guests to the
'upstream' router, and your own LAN to the 'downstream' one. Each segment
uses a different IP subnet. That way, the guests can see the Internet, but
cannot see anything lower-down the chain of routers.

For this you'd need a second router with an Ethternet WAN port, as opposed
to a combined router/modem.

The downside is that it makes it more difficult to provide outside service
from any servers on your LAN. But if you don't do this it's a quick and
secure arrangement for a temporary guest feed.


Top