I have a Cisco 871 Router, and aside from disabling the DHCP pool, and assigning a static IP address to known legitimate MAC addresses on the network, is there a way to control (disable) random users accessing the network without my approval first? Near as I can tell, if someone has the know how to assign their own static IP address in windows the router will still give them access.
Disable random network access?
- Thread starter Bril
- Start date
scotty
Senior Member
A couple ways come to mind. Obviously as you mentioned, you can tell it to permit only certain MACs. Also, various routers and such support access pages/gateways where when you open your browser you have to put in a password in order to connect. I'm not sure if your router supports this, I'm guessing not. Most decent switches and many routers also support disabling ports outright, so that's a potential option as well. Disabling ports completely is what I've done in the past to help limit access.
Scotty is right. There's only a few ways to prevent users from accessing a wired network if they have access to the physical ports. Wireless is another story. Is this a wireless + wired 871?
Disable all unused ports; but this doesn't prevent people from disconnecting an "approved" user connections and using that port
802.1x; I don't believe the 871 supports this on the wired side, though it does support WPA2 Enterprise on the wireless side which could require 2-factor authentication (RADIUS MAC and username/password)
MAC ACLs; only known MAC addresses are allowed
IP ACLs; only approved IP addresses are permitted, don't know if the 871 is smart enough for that, though it does support an IPS, NAC and Stateful Inpection, but not sure if it's WAN, LAN and/or wireless sides...
VLANs; the 871 is VLAN capable, assign your workstations to a VLAN, if the NIC drivers in the workstation allow that, and simply keep it a secret. Sometimes this requires assigning the VLAN in the Registry for MS. If the intruder doesn't know the appropriate VLAN and how to configure it, his packets will have the incorrect header information to traverse the switch.
steve.
Disable all unused ports; but this doesn't prevent people from disconnecting an "approved" user connections and using that port
802.1x; I don't believe the 871 supports this on the wired side, though it does support WPA2 Enterprise on the wireless side which could require 2-factor authentication (RADIUS MAC and username/password)
MAC ACLs; only known MAC addresses are allowed
IP ACLs; only approved IP addresses are permitted, don't know if the 871 is smart enough for that, though it does support an IPS, NAC and Stateful Inpection, but not sure if it's WAN, LAN and/or wireless sides...
VLANs; the 871 is VLAN capable, assign your workstations to a VLAN, if the NIC drivers in the workstation allow that, and simply keep it a secret. Sometimes this requires assigning the VLAN in the Registry for MS. If the intruder doesn't know the appropriate VLAN and how to configure it, his packets will have the incorrect header information to traverse the switch.
steve.
I personally like Proxies, which require authentication. Just make it so that only the specific server running say squid, is able to connect out, then force everyone to connect via proxy. You can use active directory to set the defaults inside PC's that are apart of the domain to then authenticate to the proxy, then out.
This also has the advantage of adding content filtering, and web caching (For faster page loads, and less bandwith usage).
This also has the advantage of adding content filtering, and web caching (For faster page loads, and less bandwith usage).
Reply back
Access Pages/Gateways might be in issue, I'm not sure if the router supports this, and even if it did I might catch a lot of flack from people that need to log in every time they log into windows or open a web page.
Disabling ports is out of the question. I have a whole plethora of unmanaged switches connected to the router, this is impossibility.
I'm not very knowledgeable about Proxies, but this does not sound feasible at the moment either. I don’t actually have a PC available to route all my network traffic through.
No this router is not wireless. the old router we have has a wireless AP, and I got too many phone calls from people arguing with me that it WILL work through wood & sheet metal walls and from 500 feet away...if I just tell them how.. Before I finally turned it off altogether.
With that the WPA2 does not apply.
What is 802.1x? Any good information on this besides Wikipedia?
MAC ACL's sounds like my best bet. Only users I allow are on the network, but it doesn’t require any more micromanagement on my end to ensure they have full connectivity to each other and/or the internet.
IP ACL's does not sound very secure, I would essentially have to open up a range, and if someone arbitrarily gave themselves a good IP address within that range they would be in.
VLAN's may be an option; I have to study into that more.
any good information on this besides Wikipedia?
I also ran into a bit of a hitch, near as I can tell this router does not have a DNS server.
Can anyone inform me if this is the case or not?
If that is the case, do I need some DNS server software in a workstation somewhere for the Windows machines to network properly?
Access Pages/Gateways might be in issue, I'm not sure if the router supports this, and even if it did I might catch a lot of flack from people that need to log in every time they log into windows or open a web page.
Disabling ports is out of the question. I have a whole plethora of unmanaged switches connected to the router, this is impossibility.
I'm not very knowledgeable about Proxies, but this does not sound feasible at the moment either. I don’t actually have a PC available to route all my network traffic through.
No this router is not wireless. the old router we have has a wireless AP, and I got too many phone calls from people arguing with me that it WILL work through wood & sheet metal walls and from 500 feet away...if I just tell them how.. Before I finally turned it off altogether.
With that the WPA2 does not apply.
What is 802.1x? Any good information on this besides Wikipedia?
MAC ACL's sounds like my best bet. Only users I allow are on the network, but it doesn’t require any more micromanagement on my end to ensure they have full connectivity to each other and/or the internet.
IP ACL's does not sound very secure, I would essentially have to open up a range, and if someone arbitrarily gave themselves a good IP address within that range they would be in.
VLAN's may be an option; I have to study into that more.
any good information on this besides Wikipedia?
I also ran into a bit of a hitch, near as I can tell this router does not have a DNS server.
Can anyone inform me if this is the case or not?
If that is the case, do I need some DNS server software in a workstation somewhere for the Windows machines to network properly?
scotty
Senior Member
I'll try to take a stab at a few of those questions.
VLAN'ing, similar to diabling ports, likely wont work in your scenario unless you have all VLAN aware switches. Depending on how things are physically connected, you may be able to VLAN, but if it's like you say, I would rule out VLAN'ing. Think of it in similarities to disabling ports - if you have a mish-mash of switches daisy chained to each other VLANing will be out of the question.
A proxy is basically a central computer/gateway to which all computers access the internet through. The problem is similar to not wanting an access page - people would need to log in a lot and if you say it's not an option I'm not so sure a proxy would fit the bill either.
MAC ACL's could work, but can be potentially bypassed pretty easily. If you have pretty simple users this might be an option, but it's certainly not air-tight.
All things considered an access page of some sort is probably the best trade-off in my opinion. But that's just me.
And with DNS, no your router wont have a DNS server. Your router will have DNS information from your ISP to which it will forward DNS requests to. It will have client tables to which they can sort of use like DNS. Basically, in a windows network it's windows that will scan and try to auto discover other PCs and devices on the network (which is slow and painful). Typically in a small'ish windows network, I personally try to stick to IP's. Works faster, more to the point. Not always an option though. Don't worry about this though, windows and your router can figure it out, but don't expect responses to be super quick and snappy.
VLAN'ing, similar to diabling ports, likely wont work in your scenario unless you have all VLAN aware switches. Depending on how things are physically connected, you may be able to VLAN, but if it's like you say, I would rule out VLAN'ing. Think of it in similarities to disabling ports - if you have a mish-mash of switches daisy chained to each other VLANing will be out of the question.
A proxy is basically a central computer/gateway to which all computers access the internet through. The problem is similar to not wanting an access page - people would need to log in a lot and if you say it's not an option I'm not so sure a proxy would fit the bill either.
MAC ACL's could work, but can be potentially bypassed pretty easily. If you have pretty simple users this might be an option, but it's certainly not air-tight.
All things considered an access page of some sort is probably the best trade-off in my opinion. But that's just me.
And with DNS, no your router wont have a DNS server. Your router will have DNS information from your ISP to which it will forward DNS requests to. It will have client tables to which they can sort of use like DNS. Basically, in a windows network it's windows that will scan and try to auto discover other PCs and devices on the network (which is slow and painful). Typically in a small'ish windows network, I personally try to stick to IP's. Works faster, more to the point. Not always an option though. Don't worry about this though, windows and your router can figure it out, but don't expect responses to be super quick and snappy.
Similar threads
Similar threads
Similar threads
-
-
Invalid credentials error when trying to open network samba drive on Windows 11
- Started by J_2024
- Replies: 14
-
-
Trying to plan best use of router & switches on home network
- Started by awediohead
- Replies: 10
-