Package (or product) similar to MS NAP server?
-
Wasn't sure where to put these comments. I know JamesDean hangs here, and knows his stuff in regards to Snort. (good job BTW… I can't wait for the beta snort to become released. Good stuff there!)
Anyway...
I've spent a lot of time looking to prevent outsiders from getting in.
PF Sense helps a lot for that, and IPS w/Snort.Now I need to focus on Internal networks. I guess (maybe?) I can put a PF system deep on the internal network, with snort looking at internal IP.
Q1: I see both interfaces can be enabled with snort. Does this now protect (I guess it's more "notify admins") of a problem being seen or intruduced?
It seems Microsoft's NAP product looks at a new computer intruduced into the network and (I haven't read up on it yet) I guess it quarantines it to a "safe" network until some set of qualifcations "authorize" it to move to production network. Where the might be Windows updates, and AV signatures up to date. And that's ok.
Q2: Is there an Open Source product that simulates that product? I want to know when some guest goes and plugs their laptop into my ethernet wall port, and starts to get an DHCP address, potentially arping all kinds of trash over my network wire, and if they get an IP, wow even more damage.
Any suggestions? -
not sure if there is. Microsoft NAP is used in a Domain environment and really isn't, or shouldn't be deemed as a security product. All it doesn't is ensure that computers adhere to access policies. Preventing ARP isn't one of them. In a simple configuration it can be configured to make sure clients have such things installed, running and up to date like their firewall is turned on, a/v definitions are up to date etc. I am sure there is a linux implimentation of this, but I highly doubt it will be compatible with windows hosts let alone be a plugin for pfSense. If you want something like that to really secure your network, it is best to have a separate server to handle such things (even if it's virtualised). I have Windows Server 2008 R2 with RADIUS, NAP and configured as a DC. It is currently not implimented on the network however because well, there is no need to other than testing it out, plus it's set up at home and would just cause frustration with everyone since no one "owns" the network, we share it because we all pay for it.
However, I will say it really does shine when all computers are part of the domain.
Plus, ARP protection is done with pfSense anyhow. You may just need to look more at the configuration and implimentation. Most, if not all routers, be it full fledge server solutions or home devices, employ some sort of ARP protection. I think if anything your biggest concern should be that of ARP poisoning aka: man in the middle attack, this is the method that IMSpector uses to log those chats ;).
Otherwise, you may have to create firewall rules.
-
Maybe PacketFence http://www.packetfence.org/en/home.html would work for you.
If your switches support port security that can be a big help too.