Wired security improvements

["Jesse Rink" <jesse-rink () wi rr com>]

Hello all.

I was hoping for some feedback on some improvement I'm hoping to make at a
couple of clients as it relates to their wired network.

A bit of a background...

I do support for several K12 school districts.  This, by its nature, changes
the typical way security needs to be planned for and implemented.  Obviously
the biggest change is the mindset that the biggest security threat comes
from the inside as opposed to coming from the outside.

In particular I am looking at ways to minimize the potential of being
exposed when it comes to students having accessibility to the physical
network when they bring in their own laptops.  Some schools I do work for
have a policy in place that restricts students/staff from bringing in
laptops.  Some schools I do work for have a policy which allows
students/staff to bring in laptops.  

The concern I am looking to address is finding a method to prevent
students/staff from bringing in their laptop, plugging it into an active
port and getting on the network.  My concern is, a user who brings in a
non-controlled device will have the ability to run whatever hacking/cracking
tools they want, man in the middle attacks, etc.  My experience with these
tools tells me I only need 5 minutes at the most to start getting usernames
and passwords from Kerberos hashes - I've done it and it was surprisingly
easy.  At that time, I can take my laptop offline, go home, and crack
passwords easily enough.  I have spoken at length with Aaron Royhans about
this (he is a member on this mailing list) and we have come up with the same
summation for the most part so I feel as if I'm on the right track at least.

The following 5 methods are, as far as I see it, the potential options I
have:

1. Lockdown switchports by individual MAC addresses
2. Implementing IPSec
3. 802.1x on the Wired network
4. A NAC device (HP, Cisco, etc.)
5. MAC Authentication via RADIUS

I have put together a small spreadsheet detailing what I see, in MY
environments, as pros and cons of each method.  Pros and Cons include
everything from how effective the solution is, to cost involved, to time
involved, to ease of installation and continued support thereafter, etc.

I need to implement something for approximately wired 500-900 computers
depending on the size of the client.  Costs need to be kept low.  Time
investment needs to be kept low.  Those are the main priorities, however,
I'm considering all options and avenues.  

As of now, I am leaning towards MAC Authentication via a RADIUS server,
followed by IPSec.  Ideally, I would like to implement both options in
tandem to compliment each other.  MAC Authentication via RADIUS to keep them
off the network, IPSec to keep the communications secure.

I believe MAC Authentication via RADIUS is an ideal choice for us because it
seems like it would be the easiest of the methods to implement with minimal
amount of configuration required and overhead.  Setup the ports on the
switches, add the MAC addresses to Active Directory, configure my IAS Server
and that's pretty much a wrap.  We pretty much effectively limit port-access
to the network unless that MAC can be authenticated.  Yes, I realize MACs
can be spoofed, but, a student would first have to KNOW the reason they're
being prevented access to the network is because of MAC based
authentication.  I think it's a stretch to think a student would guess that.
Possible - sure.

IPSec seems like a good option as well, but it doesn't prevent physical
access to the network at all.  It merely requires that both parties, client
and server, communicate securely.  If one doesn't, then there's no access.
I am still a bit concerned that "man in the middle attacks" could
potentially happen even with IPSec however based on what I've read... 

I have a lot of experience with 802.1x in a wireless environment and it
works great.  In a wired environment, I think it can add a LOT of
complexities I'm not ready to tackle, especially when it comes to imaging,
and clients/OS's that don't have a supplicant.  It's also a complete PITA to
get up and running, test fully, etc.  So I think while, it's a lot better
option than MAC Authentication via RADIUS as far as security is concerned, I
personally feel the rewards are outweighed by the additional
cost/setup/testing to get a fully wired 802.1x infrastructure in place.

A NAC device seems like a nice option.  But cost can be outstanding.  I'm
currently evaluating an HP NAC 800.  Seems to do everything I'd want, but
again, cost... cost... cost.  Especially when you add in the appropriate
licensing required on the clients.  Likely would be over $20,000 or more.

If you want to shed your $.02 on this, feel free.  I ask however that you
first go to http://www.w3si.org/securitymethods.xls and view the spreadsheet
I put together with pros/cons.  Again, this is based on MY environments so
it may not coincide with environments you've seen in your travels.

Thanks for reading.

Jesse