Results 1 to 5 of 5

Thread: External Users

  1. #1
    New Lounger
    Join Date
    Mar 2003
    Location
    Livingston, Lanarkshire, Scotland
    Posts
    11
    Thanks
    0
    Thanked 0 Times in 0 Posts

    External Users

    Hi,

    with spyware now becoming more of a pain than viruses, i need a solution to protect my LAN from external users coming in off the field

    we have a number of laptops out there which use their own broadband connection most of the time, but only log onto the domain now and then. these laptops pose a huge risk.

    In W2K3 Server, there is NAP (Network Access Protection), but nothing available for 2000.

    How does everyone else do it?

    Thanks in advance.

    David

  2. #2
    Administrator
    Join Date
    Mar 2001
    Location
    St Louis, Missouri, USA
    Posts
    23,571
    Thanks
    5
    Thanked 1,057 Times in 926 Posts

    Re: External Users

    David,

    Look here: Windows 2000 Networking and Communications Services for reading material. My best guess wuld be VPNs.

    Joe
    Joe

  3. #3
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: External Users

    This is a very difficult problem. Prevention obviously is step #1: having the laptops running always-up-to-date antivirus software, outfitting them with a software firewall configured strictly, and having them routinely scanned for spyware. And of course having strong policies barring use of peer-to-peer networks and other firewall bypass mechanisms. Even then, users often have a way of introducing unexpected software onto their computers, so you have to assume the worst.

    A number of companies sell (expensive) network appliances that either integrate with or sit in front of your switches. They can "sniff" the laptop for patch level and malware, and apply additional filtering, before allowing the laptop to connect. I have read announcements of these products, but have not studied or compared them, and frankly I can't afford any of them anyway.

    Your best workaround depends on the level of access required. If you users only need access to an internal mail server, you can connect the untrusted laptops outside your firewall (e.g., in a DMZ) and provide a webmail interface. If they need access to documents, you either can devise a web or (secure) FTP interface. You see where I'm going here. Basically, a direct wired or wireless connection, or a wide-open VPN connection, allows these untrusted machines too much access and unless you can put them through a scrub before they connect ("doughnut time" for the user), isolation is the best approach.

    Now, of course, an isolation cannot succeed 100%. There always will be laziness, expediency, and "good" excuses. So you'll need to harden your internal assets and consider segmenting your LAN to minimize the scope of any attacks.

    I wrote a paper on untrusted laptops once, which you can read online here: http://www.giac.org/practical/GSEC/J...Scher_GSEC.pdf

  4. #4
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts

    Re: External Users

    Excellent dissertation Jefferson !! <img src=/S/clapping.gif border=0 alt=clapping width=19 height=23> Very through and easy to understand. Nice work. <img src=/S/thumbup.gif border=0 alt=thumbup width=15 height=15>

    Perhaps you could post a link under it's own heading?? Seems like the right thing to do with something that could prove quite useful for a number of people and organizations.
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

  5. #5
    4 Star Lounger
    Join Date
    Oct 2001
    Location
    Bellevue, Nebraska, USA
    Posts
    569
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: External Users

    And another bookmark gets added to my "References" folder. Nice piece.
    Bill (AFE7Ret)
    Freedom is NOT Free!
    Heat is the bane of all electronics!

    ─────────────────────

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •