1

How do I restrict network access to LAN for visitors?

In my organization's premises any outside visitor can come and connect to the LAN ports in our meeting rooms. We have seen that they are able to ping internal systems. How can I prevent this issue?

S.L. Barth
  • 5,504
  • 8
  • 39
  • 47
Pentester23
  • 19
  • 1
  • 2

3 Answers3

3

The solution really depends on what your environment is, and what you're willing to put into place. There are a few solutions that come into mind, including the ones mentioned in other answers here:

  • Separate VLANs for public meeting spaces, and internal workstations. The downside of this is that a smart attacker can perform a VLAN hop (depending on the implementation), and end up in your workstation VLAN.
  • 802.1X, which requires you to implement a RADIUS server, and a fair bit of management on user workstations to ensure that they have the right authentication profiles and certificates to talk to your network.
  • Network Access Control (or in Cisco language, Network Admission Control) which lets you authenticate users using LDAP, based on MAC address, or other mechanisms depending on your NAC implementation.

Of these three, VLAN is probably the cheapest in terms of effort on your part in configuring the environment - you don't have to do anything on user workstations, and you just have to ensure a proper segmentation of the network. 802.1x is more expensive in terms of effort and adoption, but still cheaper than a NAC solution. The NAC solution is probably going to be the most effective, and most expensive of the three, especially if you get a solution that doesn't need to deploy an agent on the workstations. It will still require some user training depending on how you implement it, but it is much harder to bypass a NAC control than it is to bypass VLAN restrictions.

  • What if isolated visitors try to connect to ports located at user workstation instead of meeting rooms. Will VLAN be able to restrict access. – Pentester23 Jan 15 '14 at 12:26
  • No, VLANs won't restrict access. A user workstation port will be connected to the work station VLAN - VLANs have nothing to do with the computer itself, but the port on which the computer is connecting. However, NAC/802.1X can help you isolate visitors in this scenario. – Karthik Rangarajan Jan 15 '14 at 18:12
2

The simplest solution is VLAN a virtual or logical LAN. With VLANs you can segregates your physical LAN network into different logical LAN segments i.e. Department based, based on users or application based. With the help of VLAN you can operate as build as many Virtual LANs as per your switch permits and these VLAN will be virtually isolated from each other. So what I suggest is to place your meeting rooms ports on a seperate vlan this will isolate visitors from accessing any of the internal workstations.

Edit:

VLAN are generally Subject to VLAN hopping attack i.e. switch spoofing and double tagging attacks. These reason behind these attacks is mainly due to misconfigured switch i.e. switch access port being configured as trunk port. You can review good assessment of the security of vlan from this question i.e

Why do people tell me not to use VLANs for security?

Ali Ahmad
  • 4,814
  • 8
  • 35
  • 61
0

Implement Port Security (802.1X), this is various techniques for placing access control on network ports.

RQ'
  • 76
  • 6