URGENT: Prevent from connecting Notebooks to my LAN

Is there anyway to prevent from connecting notebooks and PDAs to my LAN?
I heard that IPSec is the solution but I STILL have Windows 98 computers in
my network.

1) Is is possible to apply IPSec only for Windows XP/Vista computers? Most
notebooks have XP/Vista OSs.

2) How to prevent DHCP server to assign and IP address to an unauthorized
computer?

3) What other solutions do I have (that includes windows 98)? Maybe
MAC-Address based control? Is it included with Windows 2003?

Thanks!

One way is Network Access Control or Identity Based Networking Services.
Layer 2 denial of a connection based on not having the correct certificate.
Requires the right infrastructure. MS has a layer 3 equivalent in Longhorn.

For Layer 2, you need a CA (PKI) complex, Cisco ACS, and Cisco 35xx switches
or better. AD membership is the criteria some use, but you can make it
group based too. The beauty of it is, you can put authenicated users in one
VLAN and failed in another.

ForeScout has a device that can do it in layer 3 through posturing IIRC

"Jazmin Gutierrez" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Is there anyway to prevent from connecting notebooks and PDAs to my LAN?
> I heard that IPSec is the solution but I STILL have Windows 98 computers
> in
> my network.
>
> 1) Is is possible to apply IPSec only for Windows XP/Vista computers? Most
> notebooks have XP/Vista OSs.
>
> 2) How to prevent DHCP server to assign and IP address to an unauthorized
> computer?
>
> 3) What other solutions do I have (that includes windows 98)? Maybe
> MAC-Address based control? Is it included with Windows 2003?
>
> Thanks!
>
>
>
>

How do they make the people come to work on time? Make them do their work?
Keep them from stealing the toilet paper? You just don't let them bring
outside machines into the building, if they do then they have to stay in the
bag, if they don't obey then have estblished "punishments" in place. If
Management won't do that then you are wasting your time since I.T. people
typically don't run the company.

Networking equipment gets smarter all the time,...but networking equipment
still is not a "babysitter".


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"Jazmin Gutierrez" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Is there anyway to prevent from connecting notebooks and PDAs to my LAN?
> I heard that IPSec is the solution but I STILL have Windows 98 computers
> in
> my network.
>
> 1) Is is possible to apply IPSec only for Windows XP/Vista computers? Most
> notebooks have XP/Vista OSs.
>
> 2) How to prevent DHCP server to assign and IP address to an unauthorized
> computer?
>
> 3) What other solutions do I have (that includes windows 98)? Maybe
> MAC-Address based control? Is it included with Windows 2003?
>
> Thanks!
>
>
>
>

I see this applies in all countries & all companies.


"Phillip Windell" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> How do they make the people come to work on time? Make them do their
> work? Keep them from stealing the toilet paper? You just don't let them
> bring outside machines into the building, if they do then they have to
> stay in the bag, if they don't obey then have estblished "punishments" in
> place. If Management won't do that then you are wasting your time since
> I.T. people typically don't run the company.
>
> Networking equipment gets smarter all the time,...but networking equipment
> still is not a "babysitter".
>
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or
> Microsoft, or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
> "Jazmin Gutierrez" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> Is there anyway to prevent from connecting notebooks and PDAs to my LAN?
>> I heard that IPSec is the solution but I STILL have Windows 98 computers
>> in
>> my network.
>>
>> 1) Is is possible to apply IPSec only for Windows XP/Vista computers?
>> Most
>> notebooks have XP/Vista OSs.
>>
>> 2) How to prevent DHCP server to assign and IP address to an unauthorized
>> computer?
>>
>> 3) What other solutions do I have (that includes windows 98)? Maybe
>> MAC-Address based control? Is it included with Windows 2003?
>>
>> Thanks!
>>
>>
>>
>>
>
>

You could simply not use DHCP in areas of the building where they are doing
this,...or just unplug any wall jacks at the patch panel where there is no
official machine at that jack,..in other words don't leave live jacks
around.

If it is wireless, then you may have to limit the connectability to the WAP
by MAC Address since the users are probably going to know the WPA "key".

"User beatings" still work the best and make the greatest
"impression",...but "technical" solutions often just make the user "proud of
themselves" and feel like they have bragging rights when they find a way
around them, particularly when there is no incentive to obey the rules.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/e...epartners.mspx
-----------------------------------------------------

People will try to get away with anything they can if not stopped. Rules
are no rules at all if there is no willingness to enforce them.

I know the employment laws are different in different countries, but I don't
think any business would survive if it "let the inmates run the asylum".
Somebody has to be in charge and have the power to enforce thier job.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"Jazmin Gutierrez" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> I see this applies in all countries & all companies.
>
>
> "Phillip Windell" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> How do they make the people come to work on time? Make them do their
>> work? Keep them from stealing the toilet paper? You just don't let them
>> bring outside machines into the building, if they do then they have to
>> stay in the bag, if they don't obey then have estblished "punishments" in
>> place. If Management won't do that then you are wasting your time since
>> I.T. people typically don't run the company.
>>
>> Networking equipment gets smarter all the time,...but networking
>> equipment still is not a "babysitter".
>>
>>
>> --
>> Phillip Windell
>> www.wandtv.com
>>
>> The views expressed, are my own and not those of my employer, or
>> Microsoft, or anyone else associated with me, including my cats.
>> -----------------------------------------------------
>>
>> "Jazmin Gutierrez" <(E-Mail Removed)> wrote in message
>> news:%(E-Mail Removed)...
>>> Is there anyway to prevent from connecting notebooks and PDAs to my LAN?
>>> I heard that IPSec is the solution but I STILL have Windows 98 computers
>>> in
>>> my network.
>>>
>>> 1) Is is possible to apply IPSec only for Windows XP/Vista computers?
>>> Most
>>> notebooks have XP/Vista OSs.
>>>
>>> 2) How to prevent DHCP server to assign and IP address to an
>>> unauthorized
>>> computer?
>>>
>>> 3) What other solutions do I have (that includes windows 98)? Maybe
>>> MAC-Address based control? Is it included with Windows 2003?
>>>
>>> Thanks!
>>>
>>>
>>>
>>>
>>
>>
>
>

George Ellis wrote:
> For Layer 2, you need a CA (PKI) complex, Cisco ACS, and Cisco 35xx switches
> or better. AD membership is the criteria some use, but you can make it
> group based too. The beauty of it is, you can put authenicated users in one
> VLAN and failed in another.

Correction: you do not need Cisco hardware at all. You can use any
802.1X compatible network devices with guest vlan support. In addition
you do not need PKI to accomplish this (as I first thought).

Regards

Chris

The behavioral modification API is still a work in progress...


"Phillip Windell" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> You could simply not use DHCP in areas of the building where they are
> doing this,...or just unplug any wall jacks at the patch panel where there
> is no official machine at that jack,..in other words don't leave live
> jacks around.
>
> If it is wireless, then you may have to limit the connectability to the
> WAP by MAC Address since the users are probably going to know the WPA
> "key".
>
> "User beatings" still work the best and make the greatest
> "impression",...but "technical" solutions often just make the user "proud
> of themselves" and feel like they have bragging rights when they find a
> way around them, particularly when there is no incentive to obey the
> rules.
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or
> Microsoft, or anyone else associated with me, including my cats.
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Troubleshooting Client Authentication on Access Rules in ISA Server 2004
> http://download.microsoft.com/downlo...7/ts_rules.doc
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
>
> Microsoft ISA Server Partners: Partner Hardware Solutions
> http://www.microsoft.com/forefront/e...epartners.mspx
> -----------------------------------------------------
>
>

"John Fullbright" <fjohn@donotspamnetappdotcom> wrote in message
news:(E-Mail Removed)...
> The behavioral modification API is still a work in progress...

Hehe,...I can't wait! I'll beta test it!

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

In article <qn2Pi.28820$(E-Mail Removed)> ,
(E-Mail Removed) says...
> George Ellis wrote:
> > For Layer 2, you need a CA (PKI) complex, Cisco ACS, and Cisco 35xx switches
> > or better. AD membership is the criteria some use, but you can make it
> > group based too. The beauty of it is, you can put authenicated users in one
> > VLAN and failed in another.
>
> Correction: you do not need Cisco hardware at all. You can use any
> 802.1X compatible network devices with guest vlan support. In addition
> you do not need PKI to accomplish this (as I first thought).
>
> Regards
>
> Chris
>

We are going down the NAC route at the moment but before NAC we were
looking at 802.1x which looked straight forward enough - if you run
Windows Servers you already have IAS which is a radius server you can
use with most managed switches that support 802.1x.

I did at one point have it on two seperate vlans where the guest would
stay in the original vlan which had basic internet access and only if
authenticated moved them into the company vlan with access to servers
etc.