Re: [fw-wiz] DHCP in a corporate MS environment - Security Risk?

From: Ben Nagy (ben@iagu.net)
Date: 01/24/03 

From: "Ben Nagy" <ben@iagu.net>
To: "Gary Flynn" <flynngn@jmu.edu>
Date: Fri Jan 24 08:55:51 2003

----- Original Message -----
From: "Gary Flynn" <flynngn@jmu.edu>
[...]
> Ben Nagy wrote:
> > I remember many years ago now people were working on stuff that gave you
a
> > DHCP lease on a temp VLAN (so you could get IP) then authenticated you,
then
> > gave you another lease on a different VLAN as per your credentials. The
> > problem was that it was really convoluted, and DHCP/database server
failure
> > was a show stopper.
[...]
> You mean something like this:
>
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/urt/uurt/ur1p
lan.htm

Something exactly like that, actually. ;) Convoluted, requires an all Cisco
switched to the user environment and the URT server is a point of failure.
From what I hear it didn't sell well, despite being a fantastically cool
technical solution to a hard problem.

I noticed that you were involved in a unisog discussion about this stuff,
Gary - I couldn't find enough of the messages in my quick search to work out
whether anyone had a solution that they were satisfied with that didn't
require quite as much single vendor tomfoolery (not that I don't love Cisco,
by the way). I think I saw something similar, as well, coming out of a
University that had to deal with the wireless issue, using VPN clients and
proxies which was a seriously cool solution, although only tangentially
related and I'm not sure if it made it onto this list. Given the new
whitepaper on wireless MAC spoofing (and detection measures for same) I
guess people will be thinking about all that again.

Cheers,

ben