How to block unknown devices on the network?

A

AntohaRomaha2015-11-27 11:35:09

linux

AntohaRomaha, 2015-11-27 11:35:09

Greetings.
Tell me, please, in which direction to dig. There is a LAN with a gateway on FreeBSD 10.2.
How can I control the list of LAN devices using the gateway? By poppy addresses, not very much .. poppies can be replaced. And how else - I have no idea.
Now the situation turns out to be such that anyone came, tucked a laptop into the switch, or even worse, hid the raspberry without being pale, plugged into the switch .. that is, anyone can become a member of the local network. Besides how can you detect devices that appear on the network using a poppy?
UPD. Internet access is not the same. It is necessary not to let the left device into the LAN .. In general, thanks for the answers, I'll figure it out.

Reply

Answer the question

In order to leave comments, you need to log in

6 answer(s)

M

Max, 2015-11-27
@MaxDukov

802.1X. But you don't need a dumb switch.

A

athacker, 2015-11-27
@athacker

If in a simple way, then you can do this: disable all switch ports that are not in use. Configure port security on the switch - so that each port is MAC bound. If a device with a different MAC is plugged in, then the network will not rise from it. Accordingly, in order to plug in a laptop or something else, you will first have to plug out what was already connected there from the enabled port and configure the same MAC on the "illegal" piece of hardware as on the legal one.
Or yes - 802.1x. But this requires both appropriate equipment and support from clients (workstations, or whatever else you have on your network).
And on FreeBSD this task is not solved in any way. You can control access to the Internet, for example, through a proxy with authorization. But not connecting / disconnecting devices on the network, in any case, the switches are in charge. Well, although if you decide on 802.1x, then you can raise a RADIUS server on the fra :-)

M

MefistofelKr, 2015-11-27
@MefistofelKr

Use tools for authorization and obtaining ip, through a log and password. And you can already see from the logs who is trying to access or openvpn and generate keys for one user. dhcp outside openvpn chop off

N

nonname, 2015-11-27
@nonname

There is another option for separating networks. In fact, you need to move the company's shared resources to a separate subnet and install a firewall with authorization between it and the local network. Roughly speaking, a potential attacker, having connected to the network, will see just a set of local PCs of employees and nothing more, not the highest level of security, but quite simple and does not require large expenses.

B

bukass, 2015-11-27
@bukass

ip unnamed + DHCP
habrahabr.ru/post/108453

S

SquareWheel, 2015-12-08
@SquareWheel

It will not be superfluous to make a binding on poppies, limit the pool of distributed addresses - do not give more than necessary (and all those who like to surf the Internet from phones can be generally transferred to a separate network). Cut the network into sub-networks (by departments, for example), and close them from each other. And in a subnet with servers/services - in general, as a vpn, don't let it go. Well, it’s also obvious that you need to close physical access to the switches, hide them in boxes there.
H