topic Re: How to block unknown machines from traversing the network in General Topics

How to block unknown machines from traversing the network

Roshawn — Thu, 05 Oct 2017 22:45:13 GMT

Hi all. My question is how can I create a rule that blocks traffic from a computer I brought from home as opposed to from my work domain?

I want to be able to see people that bring their own devices onto the network and then block access to the network as a whole. Is this do-able without Captive Portal?

Any help would be appreciated 🙂

Re: How to block unknown machines from traversing the network

Raido_Rattameister — Fri, 06 Oct 2017 01:25:29 GMT

Do you have UserID configured for work domain?

If yes then you can deny unknown users from accessing internal resources and internet (I would still permit to update applications so computers can download updates even if no-one has logged in).

You don't need to use Captive Portal for work domain as there are so many diferent options to get UserID.

Re: How to block unknown machines from traversing the network

Roshawn — Fri, 06 Oct 2017 02:29:31 GMT

THANK YOU!!

I do have user-id up and running and I thought that I created a rule to make the Source User that is Unknown denied to all zones, but that didn't work. I was able to bring a home machine in and surf the network.

Essentially my rule said:
Source Zone: Trust
Source IP: ANY
Destination Zone: Trust
Destination IP: ANY
User: Unknown
Application: Any
Service: Any

I know I'm missing something. Hoping I can get there tomorrow 🙂

Re: How to block unknown machines from traversing the network

Raido_Rattameister — Fri, 06 Oct 2017 03:19:22 GMT

You should allow any user to get dhcp, dns and access domain controllers to authenticate before you block to anything else.

Also what are your test machine and destination machine IPs?

If they are in same subnet then this traffic does not pass firewall.

Do you have seperate zones to test with? For example from users zone to servers zone.

Re: How to block unknown machines from traversing the network

Roshawn — Fri, 06 Oct 2017 03:56:27 GMT

I am allowing all users to get ot dhcp, dns, and access domain controllers to authenticate but I'm als obeing told to not do Captive Portal 😕

I have two machines (one domain joined and one from home) and both can get on the network and go anywhere.

I have three zones to test with and then the Untrusted Zone>

I thought by setting the action to Deny for Uknown Users in every zone that I would be able to get it taken care of that way. However, that didn't work. Now I'm thinking it is because I had the rule before the DNS, DHCP, WINS, and Domain Controller rules.

Re: How to block unknown machines from traversing the network

Raido_Rattameister — Fri, 06 Oct 2017 04:36:02 GMT

In your initial example both Source and Destination zones were the same.

Source Zone: Trust
Destination Zone: Trust

In this case traffic usually does not pass firewall as traffic inside same subnet goes from source to destination through switch not firewall.

Change destination zone to Untrust and try to access internet.

Did similar test and works fine.

Re: How to block unknown machines from traversing the network

kiwi — Fri, 06 Oct 2017 08:43:44 GMT

Hi @Roshawn,

I might be going overboard here but you could configure a HIP-based policy enforcement to do this.

That said, it requires additional licenses and requires quite a bit of extra configuration :

Use host information in policy enforcement

Cheers,

-Kiwi

Re: How to block unknown machines from traversing the network

BPry — Fri, 06 Oct 2017 12:48:21 GMT

@Roshawn,

It honestly sounds like your asking a little bit too much from your firewall, as far as blocking interzone communication goes. The way that @Raido_Rattameister mentioned works great as long as the firewall can see the traffic. The example rule that you have laid out really isn't going to work as the traffic from 'Trust' to 'Trust', or any interzone traffic in general, isn't going to traverse the firewall in most situations.

So as an example lets say I have the following zones on my firewall 'Untrust', 'Trust', 'DMZ', and a 'Datacenter' zone. The rules that I would really want to be put into the firewall would look something like this.

set rulebase security rules Test from Trust to [ Untrust DMZ Datacenter ] source any source-user unknown destination any action deny log-end yes

The above rule would deny any traffic that isn't tied to a user id from accessing the untrust, DMZ, or Datacenter zones. You could put your Trust zone in this rule as well, but again in most situations you won't see any Trust to Trust traffic anyways.

Depending on how the rest of your network looks, you could then go through and make the same rule but set the from or source zone as another zone. I would be a bit more careful when doing this as things like the DMZ zone may not actually have a user-id associated with the servers, same for the Datacenter zone. Essentially when doing this you need to be sure that the zone your are disallowing without a user-id mapping, doesn't actually contain any devices that wouldn't serve a user-id and are still expected to maintain connectivity.

Re: How to block unknown machines from traversing the network

Roshawn — Fri, 06 Oct 2017 13:00:50 GMT

@Raido_Rattameister , @kiwi and @BPryI appreciate all the help 🙂 I figured it would be an uphill battle with this specific task. I appreciate all the help and insight into my issue. I will update you all with what happens going forward 🙂

Re: How to block unknown machines from traversing the network

dannon — Fri, 06 Oct 2017 14:09:40 GMT

We looked at this scenario and found that a prodcut like Cisco ISE or similar Network Access Control product would do this. Cost prohibitive for us, so we just have to live with it for now. I would much prefer to know who is coming and going on the wired / wireless networks here.

Re: How to block unknown machines from traversing the network

Raido_Rattameister — Fri, 06 Oct 2017 15:53:58 GMT

You could force intrazone traffic through firewall with private vlans but they can cause other issues.

For example I could not get Lync working with private vlans some years ago and looks like Lync was not designed to work that way.

https://social.technet.microsoft.com/Forums/ie/en-US/a41db525-f206-412d-8b24-3a6ff3f7efc8/lync-and-private-vlans?forum=lyncinterop