| Author | Messages | |
y2k1981
Posts:0
 | | 03/07/2009 10:16 AM |
| Hi all,
Sorry, I know this thread is a little old, I've been meaning to reply for ages but not gotten around to it until now.
I've been harping on for ages at work about how great 802.1x is and that we should use it at our site. Very interesting reading on the link that Austin posted, but I just wanted to check one thing.
We have a small head office with about 20 staff. A further 10 are at customer sites full time. Each customer site has it's own dedicated LAN & DSL connection for those staff (completely separate from the customer's infrastructure). All our sites are using private IP's and have an IPSEC VPN back to head office over the DSL connection (from the site FW to the head office FW). Clients at the sites don't need to talk to each other, they only need to talk to head office for file sharing, RDP etc etc
Like I said, I want to implement wired 802.1x, but now I'm leaning towards the 802.1x & IPSEC combination. What I'm wondering is:
1. Do we need to implement 802.1x on the clients as we are already implementing it on the FW's? My initial guess is yes, as the current IPSEC implementation only secures the traffic from the perimiters of the site & head office, so we would still be open to the "vulnerability" mentioned in Austin's link.
2. As we already have an IPSEC tunnel to head office, will we be able to configure Windows IPSEC policies to run over that? What we would escentially be doing is taking IP traffic at the PC side, encapsulating it in IPSEC (also at the PC side) to prevent any siffing at the local site, then sending it to the site FW which would encapsulate that IPSEC traffic in it's own IPSEC tunnel. I'm suspecting that there could be alot of issues with this - can anybody confirm/deny ?
3. If we had public IP's at all sites including head office, could we elminiate the IPSEC VPN on the FW's and just use Windows IPSEC implementation ? Is it considered to be secure enough ?
Thanks in advance for any help anybody can give me
Cheers !
Martin
----- Original Message -----
From: Austin Osuide <austin@osuide.com>
Date: Thursday, February 19, 2009 3:12 pm
Subject: RE: [ActiveDir] Wired 802.1x deploy
> Nice 1 Roberto,
> Seems you are thinking along the lines of combining
> "authenticating connections to the network" (802.1x) and
> "authenticating connections and packets between computers"
> (IPSEC). I am not familiar with how Enterasys switches work and
> will Google them to catch up.
>
> Regards,
>
> /Austin
>
> ________________________________
>
> From: ActiveDir-owner@mail.activedir.org on behalf of Roberto Braga
> Sent: Thu 19/02/2009 13:19
> To: ActiveDir@mail.activedir.org
> Subject: Res: [ActiveDir] Wired 802.1x deploy
>
>
> Austin,
>
> thanks again for the contribution. In our environment we're using
> the "zones of trust" you've mentioned using the NAC feature of our
> Enterasys switches.
>
> Roberto
> robertobraga.net
>
>
> ________________________________
>
> De: Austin Osuide <austin@osuide.com>
> Para: ActiveDir@mail.activedir.org
> Enviadas: Quinta-feira, 19 de Fevereiro de 2009 6:18:21
> Assunto: RE: [ActiveDir] Wired 802.1x deploy
>
>
>
> Hi Roberto,
>
> I think you'll find that the crux of the discussion is that 802.1x
> "by itself" for wired networks is insufficient to protect you
> unless you can guarantee there will be no unauthorized access to
> your network.
>
> I'm not sure you followed all the links in the said article as
> there is a detailed discussion of the threat profiles that are
> mitigated by 802.1x and the drawbacks. See:
> http://technet.microsoft.com/en-gb/library/cc512611.aspx
>
> To be a robust protection mechanism, if you're a smart netadmin ;-
> ), you'll be combining it with IPSEC and work towards defining
> "zones of trust". As one of the contributors to this thread has
> observed, this can be a "nut cracker" to get working in a large
> env with different devices connecting to the inf. Not impossible
> though.
>
>
> Regards,
>
>
>
> /Austin
>
>
>
>
>
>
>
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Roberto Braga
> Sent: 19 February 2009 00:46
> To: ActiveDir@mail.activedir.org
> Subject: Res: [ActiveDir] Wired 802.1x deploy
>
>
>
> Austin,
>
>
>
> thanks for the link. It is such a great aproach to the theme. I
> had the opportunity to listen to three Steve Riley's speeches last
> year, in TechEd Brasil 2008, and he is just incredible.
>
>
>
> My staff decided to choose 802.1x specially because it is layer 2,
> since IPSec it is layer 3. We've seen lots of corporations (with
> smart netadmins ;D) with wired 802.1x and this fact "endorsed" our
> decision. I think this massive adoption is the major reason for
> Microsoft to put tools to automate 802.1x deploys in W2008/Vista
> environments, no?
>
> Roberto
>
> robertobraga.net
>
>
>
> ________________________________
>
> De: Austin Osuide <austin@osuide.com>
> Para: ActiveDir@mail.activedir.org
> Enviadas: Quarta-feira, 18 de Fevereiro de 2009 15:00:43
> Assunto: RE: [ActiveDir] Wired 802.1x deploy
>
> Hi there,
>
> 802.1x on wired networks??
>
> You might want to read this <"
> target="l">http://blogs.technet.com/steriley/archive/2005/08/11/August-article_3A00_-802.1X-on-wired-networks-considered-harmful.aspx> before going ahead.
>
> Was actively debated at Teched Europe many years ago now J
>
>
>
> Regards,
>
>
>
> /Austin
>
>
>
>
>
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
> Sent: 18 February 2009 17:19
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Wired 802.1x deploy
>
>
>
> Yes, Wired (802.1x) policy is supported in Vista or 2008 GPMC/GP
> Editor but in a Server 2003 AD environment, it does require a
> schema extension to support it. I haven't implemented this policy
> so I can't say for sure that it will work on XP, SP3 systems. My
> initial thought is that it requires the newer Client Side
> Extension that came with Vista to support it, and thus would not
> work with XP clients, but I haven't looked at SP3 to know for sure
> that it did not back-port that CSE.
>
>
>
> Darren
>
>
>
>
>
> Darren Mar-Elia
>
> CTO & Founder
>
> SDM Software
>
> "The Group Policy Experts"
>
> www.sdmsoftware.com <" target="l">http://www.sdmsoftware.com/>
>
> darren@sdmsoftware.com <')" >mailto:darren@sdmsoftware.com>
>
>
>
>
>
>
>
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Tony Gordon
> Sent: Wednesday, February 18, 2009 8:02 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Wired 802.1x deploy
>
>
>
> Sorry a little behind you on that. Have not gotten to the GP yet.
> Tested the PC, but since ours plugged into the IP phones, now
> truing to get the phone to auth as well. That is not going so
> well at the moment.
>
> Seem to remember from my Wireless deployment that if you are
> editing your policies form a vista or a 2008 device (DCs can still
> be 2003) there is a wired policy in there next to wireless.
>
> Thank you, Tony.
>
>
> Tony Gordon
> Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
> ITS Infrastructure Engineering
> Tel 847.295.5000 x50526 | Fax 847.554.1574
>
> From:
>
> "Roberto Braga" <redbullbrasil@yahoo.com.br>
>
> To:
>
> ActiveDir@mail.activedir.org
>
> Date:
>
> 2009-02-18 08:39 AM
>
> Subject:
>
> [ActiveDir] Wired 802.1x deploy
>
> Sent by:
>
> ActiveDir-owner@mail.activedir.org
>
>
>
> ________________________________
>
>
>
>
> Has anyone here deployed wired 802.1x trough a GPO/script? My
> switch/Radius authentication is done and we've made tests in
> single PCs. Now the trouble is to enable the 802.1x configuration
> in each one of our 3,000 workstations. Our environment runs a
> single 2003-native domain, with a few sites. Workstations are
> Windows XP SP3.
>
> Searching around I've seen something about expanding my Schema to
> natively support this deploy trough a GPO. I've also seen .vbs
> scripts modifying registry keys. Does anyone has been into a
> similar deploy?
>
>
> Roberto Mascarenhas Braga
> Microsoft Student Partner
> http://robertobraga.net <" target="l">http://robertobraga.net/>
>
>
> ________________________________
>
> Veja quais são os assuntos do momento no Yahoo! + Buscados: Top 10
> <" target="l">http://br.rd.yahoo.com/mail/taglines/mail/*http:/br.maisbuscados.yahoo.com/> - Celebridades <" target="l">http://br.rd.yahoo.com/mail/taglines/mail/*http:/br.maisbuscados.yahoo.com/celebridades/> - Música <" target="l">http://br.rd.yahoo.com/mail/taglines/mail/*http:/br.maisbuscados.yahoo.com/m%C3%BAsica/> - Esportes <" target="l">http://br.rd.yahoo.com/mail/taglines/mail/*http:/br.maisbuscados.yahoo.com/esportes/>
>
> ________________________________
>
>
> The information contained in this e-mail and any accompanying
> documents may contain information that is confidential or
> otherwise protected from disclosure. If you are not the intended
> recipient of this message, or if this message has been addressed
> to you in error, please immediately alert the sender by reply e-
> mail and then delete this message, including any attachments. Any
> dissemination, distribution or other use of the contents of this
> message by anyone other than the intended recipient is strictly
> prohibited. All messages sent to and from this e-mail address may
> be monitored as permitted by applicable law and regulations to
> ensure compliance with our internal policies and to protect our
> business. E-mails are not secure and cannot be guaranteed to be
> error free as they can be intercepted, amended, lost or destroyed,
> or contain viruses. You are deemed to have accepted these risks if
> you communicate with us by e-mail.
>
>
>
> ________________________________
>
> Veja quais são os assuntos do momento no Yahoo! + Buscados: Top 10
> <" target="l">http://br.rd.yahoo.com/mail/taglines/mail/*http:/br.maisbuscados.yahoo.com/> - Celebridades <" target="l">http://br.rd.yahoo.com/mail/taglines/mail/*http:/br.maisbuscados.yahoo.com/celebridades/> - Música <" target="l">http://br.rd.yahoo.com/mail/taglines/mail/*http:/br.maisbuscados.yahoo.com/m%C3%BAsica/> - Esportes <" target="l">http://br.rd.yahoo.com/mail/taglines/mail/*http:/br.maisbuscados.yahoo.com/esportes/>
>
>
> ________________________________
>
> Veja quais são os assuntos do momento no Yahoo! + Buscados: Top 10
> <" target="l">http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/> - Celebridades <" target="l">http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/celebridades/> - Música <" target="l">http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/m%C3%BAsica/> - Esportes <" target="l">http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/esportes/>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| JacksonShaw
Posts:7
| | 03/07/2009 11:37 AM |
| I agree on how cool this is.
I wonder how companies include Mac's and Linux desktops into their 802.1X/IPSec fabric...? Or, is that a way to keep Mac's and Linux boxes out of the corporate approved list of computers because they don't support these capabilities (easily)?
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of martin.mcdermott@exlayer.co.uk
Sent: Saturday, March 07, 2009 7:10 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] (OT) Wired 802.1x deploy - IPSEC over IPSEC !?
Hi all,
Sorry, I know this thread is a little old, I've been meaning to reply for ages but not gotten around to it until now.
I've been harping on for ages at work about how great 802.1x is and that we should use it at our site. Very interesting reading on the link that Austin posted, but I just wanted to check one thing.
We have a small head office with about 20 staff. A further 10 are at customer sites full time. Each customer site has it's own dedicated LAN & DSL connection for those staff (completely separate from the customer's infrastructure). All our sites are using private IP's and have an IPSEC VPN back to head office over the DSL connection (from the site FW to the head office FW). Clients at the sites don't need to talk to each other, they only need to talk to head office for file sharing, RDP etc etc
Like I said, I want to implement wired 802.1x, but now I'm leaning towards the 802.1x & IPSEC combination. What I'm wondering is:
1. Do we need to implement 802.1x on the clients as we are already implementing it on the FW's? My initial guess is yes, as the current IPSEC implementation only secures the traffic from the perimiters of the site & head office, so we would still be open to the "vulnerability" mentioned in Austin's link.
2. As we already have an IPSEC tunnel to head office, will we be able to configure Windows IPSEC policies to run over that? What we would escentially be doing is taking IP traffic at the PC side, encapsulating it in IPSEC (also at the PC side) to prevent any siffing at the local site, then sending it to the site FW which would encapsulate that IPSEC traffic in it's own IPSEC tunnel. I'm suspecting that there could be alot of issues with this - can anybody confirm/deny ?
3. If we had public IP's at all sites including head office, could we elminiate the IPSEC VPN on the FW's and just use Windows IPSEC implementation ? Is it considered to be secure enough ?
Thanks in advance for any help anybody can give me
Cheers !
Martin
----- Original Message -----
From: Austin Osuide <austin@osuide.com>
Date: Thursday, February 19, 2009 3:12 pm
Subject: RE: [ActiveDir] Wired 802.1x deploy
> Nice 1 Roberto,
> Seems you are thinking along the lines of combining
> "authenticating connections to the network" (802.1x) and
> "authenticating connections and packets between computers"
> (IPSEC). I am not familiar with how Enterasys switches work and
> will Google them to catch up.
>
> Regards,
>
> /Austin
>
> ________________________________
>
> From: ActiveDir-owner@mail.activedir.org on behalf of Roberto Braga
> Sent: Thu 19/02/2009 13:19
> To: ActiveDir@mail.activedir.org
> Subject: Res: [ActiveDir] Wired 802.1x deploy
>
>
> Austin,
>
> thanks again for the contribution. In our environment we're using
> the "zones of trust" you've mentioned using the NAC feature of our
> Enterasys switches.
>
> Roberto
> robertobraga.net
>
>
> ________________________________
>
> De: Austin Osuide <austin@osuide.com>
> Para: ActiveDir@mail.activedir.org
> Enviadas: Quinta-feira, 19 de Fevereiro de 2009 6:18:21
> Assunto: RE: [ActiveDir] Wired 802.1x deploy
>
>
>
> Hi Roberto,
>
> I think you'll find that the crux of the discussion is that 802.1x
> "by itself" for wired networks is insufficient to protect you
> unless you can guarantee there will be no unauthorized access to
> your network.
>
> I'm not sure you followed all the links in the said article as
> there is a detailed discussion of the threat profiles that are
> mitigated by 802.1x and the drawbacks. See:
> http://technet.microsoft.com/en-gb/library/cc512611.aspx
>
> To be a robust protection mechanism, if you're a smart netadmin ;-
> ), you'll be combining it with IPSEC and work towards defining
> "zones of trust". As one of the contributors to this thread has
> observed, this can be a "nut cracker" to get working in a large
> env with different devices connecting to the inf. Not impossible
> though.
>
>
> Regards,
>
>
>
> /Austin
>
>
>
>
>
>
>
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Roberto Braga
> Sent: 19 February 2009 00:46
> To: ActiveDir@mail.activedir.org
> Subject: Res: [ActiveDir] Wired 802.1x deploy
>
>
>
> Austin,
>
>
>
> thanks for the link. It is such a great aproach to the theme. I
> had the opportunity to listen to three Steve Riley's speeches last
> year, in TechEd Brasil 2008, and he is just incredible.
>
>
>
> My staff decided to choose 802.1x specially because it is layer 2,
> since IPSec it is layer 3. We've seen lots of corporations (with
> smart netadmins ;D) with wired 802.1x and this fact "endorsed" our
> decision. I think this massive adoption is the major reason for
> Microsoft to put tools to automate 802.1x deploys in W2008/Vista
> environments, no?
>
> Roberto
>
> robertobraga.net
>
>
>
> ________________________________
>
> De: Austin Osuide <austin@osuide.com>
> Para: ActiveDir@mail.activedir.org
> Enviadas: Quarta-feira, 18 de Fevereiro de 2009 15:00:43
> Assunto: RE: [ActiveDir] Wired 802.1x deploy
>
> Hi there,
>
> 802.1x on wired networks??
>
> You might want to read this <"
> target="l">http://blogs.technet.com/steriley/archive/2005/08/11/August-article_3A00_-802.1X-on-wired-networks-considered-harmful.aspx> before going ahead.
>
> Was actively debated at Teched Europe many years ago now J
>
>
>
> Regards,
>
>
>
> /Austin
>
>
>
>
>
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
> Sent: 18 February 2009 17:19
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Wired 802.1x deploy
>
>
>
> Yes, Wired (802.1x) policy is supported in Vista or 2008 GPMC/GP
> Editor but in a Server 2003 AD environment, it does require a
> schema extension to support it. I haven't implemented this policy
> so I can't say for sure that it will work on XP, SP3 systems. My
> initial thought is that it requires the newer Client Side
> Extension that came with Vista to support it, and thus would not
> work with XP clients, but I haven't looked at SP3 to know for sure
> that it did not back-port that CSE.
>
>
>
> Darren
>
>
>
>
>
> Darren Mar-Elia
>
> CTO & Founder
>
> SDM Software
>
> "The Group Policy Experts"
>
> www.sdmsoftware.com <" target="l">http://www.sdmsoftware.com/>
>
> darren@sdmsoftware.com <')" >mailto:darren@sdmsoftware.com>
>
>
>
>
>
>
>
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Tony Gordon
> Sent: Wednesday, February 18, 2009 8:02 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Wired 802.1x deploy
>
>
>
> Sorry a little behind you on that. Have not gotten to the GP yet.
> Tested the PC, but since ours plugged into the IP phones, now
> truing to get the phone to auth as well. That is not going so
> well at the moment.
>
> Seem to remember from my Wireless deployment that if you are
> editing your policies form a vista or a 2008 device (DCs can still
> be 2003) there is a wired policy in there next to wireless.
>
> Thank you, Tony.
>
>
> Tony Gordon
> Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
> ITS Infrastructure Engineering
> Tel 847.295.5000 x50526 | Fax 847.554.1574
>
> From:
>
> "Roberto Braga" <redbullbrasil@yahoo.com.br>
>
> To:
>
> ActiveDir@mail.activedir.org
>
> Date:
>
> 2009-02-18 08:39 AM
>
> Subject:
>
> [ActiveDir] Wired 802.1x deploy
>
> Sent by:
>
> ActiveDir-owner@mail.activedir.org
>
>
>
> ________________________________
>
>
>
>
> Has anyone here deployed wired 802.1x trough a GPO/script? My
> switch/Radius authentication is done and we've made tests in
> single PCs. Now the trouble is to enable the 802.1x configuration
> in each one of our 3,000 workstations. Our environment runs a
> single 2003-native domain, with a few sites. Workstations are
> Windows XP SP3.
>
> Searching around I've seen something about expanding my Schema to
> natively support this deploy trough a GPO. I've also seen .vbs
> scripts modifying registry keys. Does anyone has been into a
> similar deploy?
>
>
> Roberto Mascarenhas Braga
> Microsoft Student Partner
> http://robertobraga.net <" target="l">http://robertobraga.net/>
>
>
> ________________________________
>
> Veja quais são os assuntos do momento no Yahoo! + Buscados: Top 10
> <" target="l">http://br.rd.yahoo.com/mail/taglines/mail/*http:/br.maisbuscados.yahoo.com/> - Celebridades <" target="l">http://br.rd.yahoo.com/mail/taglines/mail/*http:/br.maisbuscados.yahoo.com/celebridades/> - Música <" target="l">http://br.rd.yahoo.com/mail/taglines/mail/*http:/br.maisbuscados.yahoo.com/m%C3%BAsica/> - Esportes <" target="l">http://br.rd.yahoo.com/mail/taglines/mail/*http:/br.maisbuscados.yahoo.com/esportes/>
>
> ________________________________
>
>
> The information contained in this e-mail and any accompanying
> documents may contain information that is confidential or
> otherwise protected from disclosure. If you are not the intended
> recipient of this message, or if this message has been addressed
> to you in error, please immediately alert the sender by reply e-
> mail and then delete this message, including any attachments. Any
> dissemination, distribution or other use of the contents of this
> message by anyone other than the intended recipient is strictly
> prohibited. All messages sent to and from this e-mail address may
> be monitored as permitted by applicable law and regulations to
> ensure compliance with our internal policies and to protect our
> business. E-mails are not secure and cannot be guaranteed to be
> error free as they can be intercepted, amended, lost or destroyed,
> or contain viruses. You are deemed to have accepted these risks if
> you communicate with us by e-mail.
>
>
>
> ________________________________
>
> Veja quais são os assuntos do momento no Yahoo! + Buscados: Top 10
> <" target="l">http://br.rd.yahoo.com/mail/taglines/mail/*http:/br.maisbuscados.yahoo.com/> - Celebridades <" target="l">http://br.rd.yahoo.com/mail/taglines/mail/*http:/br.maisbuscados.yahoo.com/celebridades/> - Música <" target="l">http://br.rd.yahoo.com/mail/taglines/mail/*http:/br.maisbuscados.yahoo.com/m%C3%BAsica/> - Esportes <" target="l">http://br.rd.yahoo.com/mail/taglines/mail/*http:/br.maisbuscados.yahoo.com/esportes/>
>
>
> ________________________________
>
> Veja quais são os assuntos do momento no Yahoo! + Buscados: Top 10
> <" target="l">http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/> - Celebridades <" target="l">http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/celebridades/> - Música <" target="l">http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/m%C3%BAsica/> - Esportes <" target="l">http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/esportes/>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
|
|