RE: Dhcp security
From: JJ Cummings (JJ.Cummings_at_greatcleaners.com)
Date: 01/21/05
- Previous message: Leonardo: "Re: Dhcp security"
- Maybe in reply to: Paul Aviles: "Dhcp security"
- Next in thread: sanjiv: "ISA server logs"
- Reply: sanjiv: "ISA server logs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 20 Jan 2005 20:51:06 -0700 To: "Paul Aviles" <paviles@adjoined.com>, <focus-ms@securityfocus.com>
Paul,
One way "depending on how many clients you are servicing" would be to
create MAC (layer 2) based reservations, and only allow that exact
number of addresses in the available scope (again, each with a specific
MAC reservation). This does not, however, prevent static IP addressing
of unauthorized clients. For this you would need some hardware ACL
stuff, either on a switch capable of MAC filtering or route the traffic
through a security device (layer 2 again) before allowing network
access. All of this would have to be layer 2 at this point.
AND / OR...
Another option that could also be used in conjunction with the
aforementioned would be VLAN membership rubbish. By this I mean
configure a specific VLAN to have DHCP services on it; you then setup
the NIC on the client to be a member of this specific VLAN (most new
decent NICs allow for this) and configure the switchport/switch to allow
only traffic from this specific VLAN. I say use this in conjunction
with the first, because someone could figure out the VLAN ID and simply
set it, much like a static...so use both for a multi-layer approach
(always a good idea "defense and depth").
I will think about this some more and give more specific info if you
like, I am fairly fried from sleep depravation right now so my brain
functions may not be functioning as they should :-P
Regards,
JJC
``The lyf so short, the craft so long to lerne.'' - Chaucer
-----Original Message-----
From: Paul Aviles [mailto:paviles@adjoined.com]
Sent: Wednesday, January 19, 2005 3:30 PM
To: focus-ms@securityfocus.com
Subject: Dhcp security
I have a weird question maybe. Is there a way to prevent our DHCP from
giving leases to computers not in our domain? I don't want anyone that
walks in to just connect and have the possibility of a network viruses
getting loose. Is this possible?
My setup is a typical AD 2K environment, simple domain no empty root.
Thanks
Paul
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Leonardo: "Re: Dhcp security"
- Maybe in reply to: Paul Aviles: "Dhcp security"
- Next in thread: sanjiv: "ISA server logs"
- Reply: sanjiv: "ISA server logs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
