• Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login
  • Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login

PXE Boot on laptops - Security concerns?

Scheduled Pinned Locked Moved
General
5
7
2.4k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    Amh
    last edited by Apr 13, 2017, 7:53 PM

    Hello all,

    I’m just getting started with FOG and PXE booting in general. We have a number of desktops and laptops that I would like to configure to be managed through FOG. My concern is about configuring the laptops to have PXE boot as the first item in the boot order. In this state, it seems like it would be fairly simple for them to fall victim to a malicious PXE boot server waiting on a network outside of our building.

    Are these concerns unfounded? Is there any way to address this issue?

    Thanks!

    1 Reply Last reply Reply Quote 0
    • J
      Joe Schmitt Senior Developer
      last edited by Joe Schmitt Apr 13, 2017, 2:31 PM Apr 13, 2017, 8:28 PM

      @Amh PXE is definitely an insecure protocol, unfortunately it also so happens to be the standard every machine has. I am working on a new system for Windows machines to boot to FOG without PXE along with secure boot compatibility, but they won’t be available until FOG 2.0.

      The best approach to remain secure is to have some network monitoring software keep an eye out for rouge dhcp/dhcp proxy servers.

      Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

      1 Reply Last reply Reply Quote 3
      • G
        george1421 Moderator
        last edited by Apr 13, 2017, 9:56 PM

        For someone to hack your pxe booting, they would either need to change your settings in dhcp or install a rogue dhcp server on your network or install a dhcp proxy server on your network. All requires physical access to your network.

        If you do not need unattended imaging, you can always leave your default boot device the hard drive. Then when you image you will just have a technician in front of the computer, press F12 during initial boot and select pxe boot from the firmware boot menu. We do this because we want to know for absolute what system we are imaging

        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

        1 Reply Last reply Reply Quote 0
        • W
          Wayne Workman
          last edited by Apr 14, 2017, 4:38 AM

          As an admin for a school district, I didn’t much care about the security aspects of enabling network boot as the first item on the laptops - it helped me do my job and the security risks in the environment for PXE were very low.

          If your laptops are going outside of your building, I’d leave the local disk as the first boot item. Another option would be to put port locks into the ethernet ports so they can only use wifi. These locks are pretty cheap.

          Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
          Daily Clean Installation Results:
          https://fogtesting.fogproject.us/
          FOG Reporting:
          https://fog-external-reporting-results.fogproject.us/

          1 Reply Last reply Reply Quote 0
          • A
            Amh
            last edited by Apr 14, 2017, 2:08 PM

            The laptops go outside of our building daily. Port locks are an interesting option, but limiting the laptops’ connectivity options would likely bite me pretty quickly.

            Having the laptops boot first to local disk is likely the option I will take with the laptops.

            Thanks for the advice!

            1 Reply Last reply Reply Quote 0
            • B
              Bob Henderson
              last edited by Apr 15, 2017, 12:25 AM

              We’re a 1:1 windows laptop school. We have local disk as first boot option for this very reason, kids leave the building daily with them.

              For our desktops, we put PXE first so I can WoL them in off hours and image.

              One thing that’s bugging me as a way to manage with fog only is the multiple mac addresses. I register them with the wired NIC, then the wireless nic sometimes shows up in the pending macs, but sometimes not.

              W 1 Reply Last reply Apr 15, 2017, 2:15 AM Reply Quote 0
              • W
                Wayne Workman @Bob Henderson
                last edited by Apr 15, 2017, 2:15 AM

                @Bob-Henderson The sometimes not part - that’s probably a fog client issue. Like encryption reset needing done or bad config or something.

                Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                Daily Clean Installation Results:
                https://fogtesting.fogproject.us/
                FOG Reporting:
                https://fog-external-reporting-results.fogproject.us/

                1 Reply Last reply Reply Quote 0
                • 1 / 1
                1 / 1
                • First post
                  6/7
                  Last post

                167

                Online

                12.0k

                Users

                17.3k

                Topics

                155.2k

                Posts
                Copyright © 2012-2024 FOG Project