Reply back
Also, various routers and such support access pages/gateways where when you open your browser you have to put in a password in order to connect. ... Most decent switches and many routers also support disabling ports outright, so that's a potential option as well. Disabling ports completely is what I've done in the past to help limit access.
Access Pages/Gateways might be in issue, I'm not sure if the router supports this, and even if it did I might catch a lot of flack from people that need to log in every time they log into windows or open a web page.
Disabling ports is out of the question. I have a whole plethora of unmanaged switches connected to the router, this is impossibility.
I personally like Proxies, which require authentication. Just make it so that only the specific server running say squid, is able to connect out, then force everyone to connect via proxy. You can use active directory to set the defaults inside PC's that are apart of the domain to then authenticate to the proxy, then out.
This also has the advantage of adding content filtering, and web caching (For faster page loads, and less bandwith usage).
I'm not very knowledgeable about Proxies, but this does not sound feasible at the moment either. I don’t actually have a PC available to route all my network traffic through.
Scotty is right. There's only a few ways to prevent users from accessing a wired network if they have access to the physical ports. Wireless is another story. Is this a wireless + wired 871?
Disable all unused ports; but this doesn't prevent people from disconnecting an "approved" user connections and using that port
802.1x; I don't believe the 871 supports this on the wired side, though it does support WPA2 Enterprise on the wireless side which could require 2-factor authentication (RADIUS MAC and username/password)
MAC ACLs; only known MAC addresses are allowed
IP ACLs; only approved IP addresses are permitted, don't know if the 871 is smart enough for that, though it does support an IPS, NAC and Stateful Inpection, but not sure if it's WAN, LAN and/or wireless sides...
VLANs; the 871 is VLAN capable, assign your workstations to a VLAN, if the NIC drivers in the workstation allow that, and simply keep it a secret. Sometimes this requires assigning the VLAN in the Registry for MS. If the intruder doesn't know the appropriate VLAN and how to configure it, his packets will have the incorrect header information to traverse the switch.
steve.
No this router is not wireless. the old router we have has a wireless AP, and I got too many phone calls from people arguing with me that it WILL work through wood & sheet metal walls and from 500 feet away...if I just tell them how.. Before I finally turned it off altogether.
With that the WPA2 does not apply.
What is 802.1x? Any good information on this besides Wikipedia?
MAC ACL's sounds like my best bet. Only users I allow are on the network, but it doesn’t require any more micromanagement on my end to ensure they have full connectivity to each other and/or the internet.
IP ACL's does not sound very secure, I would essentially have to open up a range, and if someone arbitrarily gave themselves a good IP address within that range they would be in.
VLAN's may be an option; I have to study into that more.
any good information on this besides Wikipedia?
I also ran into a bit of a hitch, near as I can tell this router does not have a DNS server.
Can anyone inform me if this is the case or not?
If that is the case, do I need some DNS server software in a workstation somewhere for the Windows machines to network properly?