RE: [fw-wiz] DHCP in a corporate MS environment - Security Risk?

From: Frank Darden (fdarden@locked.com)
Date: 01/24/03


From: "Frank Darden" <fdarden@locked.com>
To: "Ben Nagy" <ben@iagu.net>, "Gary Flynn" <flynngn@jmu.edu>
Date: Fri Jan 24 20:47:19 2003

If I am not mistaken, http://www.metainfo.com also makes a DHCP server
that behaves in this manner.

Frank

-----Original Message-----
From: Ben Nagy [mailto:ben@iagu.net]
Sent: Friday, January 24, 2003 3:09 AM
To: Gary Flynn
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] DHCP in a corporate MS environment - Security
Risk?

----- Original Message -----
From: "Gary Flynn" <flynngn@jmu.edu>
[...]
> Ben Nagy wrote:
> > I remember many years ago now people were working on stuff that gave
you
a
> > DHCP lease on a temp VLAN (so you could get IP) then authenticated
you,
then
> > gave you another lease on a different VLAN as per your credentials.
The
> > problem was that it was really convoluted, and DHCP/database server
failure
> > was a show stopper.
[...]
> You mean something like this:
>
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/urt/uurt/
ur1p
lan.htm

Something exactly like that, actually. ;) Convoluted, requires an all
Cisco
switched to the user environment and the URT server is a point of
failure.
From what I hear it didn't sell well, despite being a fantastically cool
technical solution to a hard problem.

I noticed that you were involved in a unisog discussion about this
stuff,
Gary - I couldn't find enough of the messages in my quick search to work
out
whether anyone had a solution that they were satisfied with that didn't
require quite as much single vendor tomfoolery (not that I don't love
Cisco,
by the way). I think I saw something similar, as well, coming out of a
University that had to deal with the wireless issue, using VPN clients
and
proxies which was a seriously cool solution, although only tangentially
related and I'm not sure if it made it onto this list. Given the new
whitepaper on wireless MAC spoofing (and detection measures for same) I
guess people will be thinking about all that again.

Cheers,

ben

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards