Announcement

Collapse
No announcement yet.

Limit network connection

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Limit network connection

    I have several laptops with Lan network adapter (RJ45) and Wireless card.

    I affraid that when the computer connent to my lan network via RJ45 cable, the user will connect to unsecure wireless network via the wireless card. - Its a problem of security.

    I look for a solution that limit the active network connection to one- only one network card can work at specific time.

    Do anybody know how can i do it?? GPO or software??

  • #2
    Re: Limit network connection

    More information required and about your setup and a better explanation about what is required.
    1 1 was a racehorse.
    2 2 was 1 2.
    1 1 1 1 race 1 day,
    2 2 1 1 2

    Comment


    • #3
      Re: Limit network connection

      If I understand right, the OP has laptop with both Ethernet and Wi-Fi NICs... He is afraid that someone on the unsecured wireless network will be able to access the secured Ethernet.
      Your concerns are justified, yuvalc26. Even there is no bridge enabled between the two NICs, while both of them are connected, a good hacker can send packets between the two subnets. I even don't think of you connecting both NICs to the same subnet. It will get you so fast in trouble, that you won't have time to read this post
      Anyway, as I see it at the moment, you need to be sure that there is no way both NICs will be alive in the same time.

      Method 1: build two hardware profiles on the laptop, one containing the Ehternet card and the other containing only the wireless.
      Pros: Secure set-up. Easy achievable. Non-user dependent (means, you don't rely on the good will of the user to do the change).
      Cons: A restart is needed to switch between them. If the user takes his laptop home, for instance, while he is in the middle of writing a document, this might be a problem.

      Method 2: the user will change the set-up depending on his/hers need. This means unplugging the Ethernet cable and enabling the WiFi NIC. To manage the state of the WiFi you can write a CMD file, containing the netsh interface set interface [InterfaceName] admin=enabled/disabled command. Then, you can create two shortcuts to this file on the user's desktop, one that enables and the other one that disables the NIC.
      Pros: To switch between the modes is one-click and one-pull away.
      Cons: User-dependent. Do you trust him/her? Some writing and testing are to be done.

      Guys, what do you think? Did I forget something?

      Sorin Solomon


      In order to succeed, your desire for success should be greater than your fear of failure.
      -

      Comment


      • #4
        Re: Limit network connection

        Yes , you understant to situation very well.

        I thought about the first solution - the hardware profile.

        I look for solution which not be dependent on the user......!!!

        So, maybe you know if there is any feature in the GPO which limits the number of the active network cards or disables the wireless card......OR any software that can deal with it....(even license's software).


        Thanks

        Yaniv

        Comment


        • #5
          Re: Limit network connection

          If you need a non user-dependent solution, then two hardware profiles will do.
          I am not aware of a way to do this with GPO. It has to be done through restart. Unless one of the good guys here knows better than me.

          Sorin Solomon


          In order to succeed, your desire for success should be greater than your fear of failure.
          -

          Comment


          • #6
            Re: Limit network connection

            Hmm, maybe you guys can help me with what the issue is with having both enabled and connected at the same time.

            By default it seems, and I've tested this, Windows will not route between NICs. Please correct me if I'm wrong on that. See this thread for the tests I did http://forums.petri.com/showthread.php?t=11500

            I can understand the worries of having the machine compromised, but this risk is just as great if the computer connects to another network whether at the same time or at different times.

            So again, my question is "what's the issue?"
            Last edited by JeremyW; 21st March 2007, 15:07. Reason: grammar
            Regards,
            Jeremy

            Network Consultant/Engineer
            Baltimore - Washington area and beyond
            www.gma-cpa.com

            Comment


            • #7
              Re: Limit network connection

              I agree that at first look, when there is no routing or bridging between the two NICs, the XP itself doesn't do anything "fishy". But:
              Using two network cards, connected to two different subnets, in the same time, while not acting as a router is a set-up that Microsoft doesn't recommend.
              A hacker that rides on the wireless connection can, with the proper knowledge and tools, send packets to the Ethernet subnet. This is problematic, in my opinion. (Not my knowledge, fortunately, but the guys' at the Communications Department here).
              It's true that there is always the risk that a laptop will get a virus on a public, less-secure wireless network and then come and infect the enterprise network. This is another issue in allowing such set-ups, and there are ways to deal with that.

              I couldn't find so far the article from Microsoft, that deals with this issue. I found this article instead:
              http://ms.helifan.net/technet/commun...uy/cg0405.mspx

              Sorin Solomon


              In order to succeed, your desire for success should be greater than your fear of failure.
              -

              Comment


              • #8
                Re: Limit network connection

                Originally posted by sorinso View Post
                A hacker that rides on the wireless connection can, with the proper knowledge and tools, send packets to the Ethernet subnet.
                Hmm, rather vague but yes, I can see that it might be possible. Does anyone have examples of this being exploited? Get your comm guys to be more specific!

                I couldn't find so far the article from Microsoft, that deals with this issue. I found this article instead:
                http://ms.helifan.net/technet/commun...uy/cg0405.mspx
                I read the article... it didn't seem relevant. It just went over the basic configuration and what interface would be used in a given situation. Thanks for looking though.
                Regards,
                Jeremy

                Network Consultant/Engineer
                Baltimore - Washington area and beyond
                www.gma-cpa.com

                Comment

                Working...
                X