Securing Wired Network
I am currently looking at upgrading the network switches at our school. We have multiple buildings, all connected to the central server room through a fiber optic network. The server room has multiple Windows Server 2008 servers. Presently, all of our switches are unmanaged. I am planning to begin swapping the main switches for each building soon with a "web smart" switch (D-Link DGS1224TP). This switch says it supports 802.1x port based access control. I am looking at POE switches for a future VOIP phone system and for access points.
My long term goal is to secure our wired network so that only networked devices with MAC addresses included on some type of "allow" list are allowed to connect (mainly to prevent students from connecting laptops). The problem is that a number of our classrooms have small unmanaged 8 port switches (specifically the D-Link DGS2208 switch). This seems to make securing the wired network more difficult. (I know that MAC addresses can be spoofed, I am mainly trying to make it more difficult for the average user to connect to the wired network).
My other long term goal is to install Ruckus wireless, with two SSIDs--one for students/teaching staff that allows access to internet only; and one for techs that allows access to internet and local network. I am hoping to setup Ruckus so that no type of MAC "allow" list is needed for wireless access, unlike the wired network.
Does anyone have any tips on how I might be able to secure this wired network setup? I had looked a little at Windows Server 2008 NAP and Packetfence, but was unsure if either of these are the best solution, and if they would negatively affect what I am trying to do with Ruckus. Ideally I would have managed switches everywhere, but our funds are very limited.
Thanks for any advice!
The best way by far is to secure everything with 802.1x authentication via your switches. Normally authenticating client certificates against a RADIUS server. Seems like you've been thinking of this already (plenty of info via a search, and MS page here http://www.microsoft.com/DOWNLOADS/d...displaylang=en). An interim might be this How to Filter MAC Address with Windows Server 2003/2008 DHCP Server Callout DLL (credit to AngryITGuy for that one). I really would replace those 8 port switches. There are some just web based managed switches out there that are cheap(ish), but I don't know how limited funds are...
Other things to consider would be physical deterrents... PANDUIT|PSL-DCJB|RJ45 BLOCKOUT, X10 AND TOOL, RED | CPC work fairly well to block of spare network ports, but are a bit expensive if you've got lots of ports. Lots of people on these forums suggest snipping off the very end of the RJ45 "clip" so that it makes it hard for anyone without a small screwdriver to unplug a machine from the network (to plug their own in). You can also disable unused ports on your switches, a compromise between leaving them wired up and ready and being a risk, although I doubt that's an option for your little 8 port ones.
Both NAP and packetfence should do this for you as long as your clients are Windows XP SP3 or above and should not affect a future wireless setup as long as it is on a seperate network segment (VLAN).