Re: Dhcp security

From: Cory Stoker (cory_at_clearnetsec.com)
Date: 01/27/05

  • Next message: Manuel Sousa: "Domain logon without network connection + group policies" 
    Date: Wed, 26 Jan 2005 16:58:41 -0700
To: <focus-ms@securityfocus.com>

    Another interesting idea that is becoming popular is a process called
    end-point security. End-point security is kind of a vague term that implies
    the end-point (or host) needs to conform to a certain policy in order to be
    allowed network resources. Basically so far it boils down to some method of
    quarantining devices until they pass a battery of tests. After a device
    passes the test it is allowed access. There are quite a few commercial
    products and free software that follows the end-point security model. Off
    the top of my head I can think of:

    Cisco NAC (1)
    Microsoft NAP (Might not be released yet, maybe in Longhorn??) (2)
    Microsoft NAQC (Available in Windows 2003 server) (2)
    Perfigo CleanMachines (Bought by Cisco but is different than NAC) (3)
    StillSecure SafeAccess (4)
    802.1x (Free) (5)
    NetReg (Free) (6)

    These products implement end-point security in different ways. Some will
    setup a quarantine DHCP scope that will host the devices until they are
    compliant then allow the device to obtain a real lease. Of course DHCP
    quarantining can be defeated with static IP addresses but it would stop the
    honest user infected with worms etc... The other main method of
    quarantining is to utilize either VLANS or private VLANS on switches to
    segregate the end-point device until it is tested and compliant. Then the
    end-point device will be moved into the proper VLAN. This method is more
    secure in regards to trying to circumvent the quarantining process but it is
    much more involved to implement. Another method which is a little different
    than the other two is more of a "Scan and Block" method. This is a device
    that is inline between the assets you want to protect and the devices you
    want to screen. A device cannot pass the inline device until it is
    compliant. 802.1x is a standard of authentication network connections via
    EAP over Ethernet which is not a quarantining method per se but it would
    prevent anyone from connecting to your LAN that does not have a password and
    username....

    I hope this answers what I think is your issue problem of "How do I protect
    my internal assets from devices that might be "unclean" on my internal
    networks?"

    1)http://www.cisco.com/en/US/netsol/ns466/networking_solutions_sub_solution_
    home.html
    2)http://www.microsoft.com/windowsserver2003/technologies/networking/nap/def
    ault.mspx
    3)http://www.perfigo.com/products/index.html
    4)http://www.stillsecure.com/products/sa/
    5)http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/8021
    xclient.asp
    6)http://www.netreg.com

    Blabbing on and on.... 

    -- 
Cory Stoker
On 1/21/05 7:33 AM, "Shawn Wall" <sjwall@shaw.ca> wrote:
> You could reserve every IP address on you DHCP server with MAC addresses
> from you known user base. A pain in the hump for sure. If you have network
> switches capable of L2 security you could lock down the ports to prevent
> unauthorized MAC addresses from connecting to the network to begin with.
> 
> HTH 
> 
> -----Original Message-----
> From: Paul Aviles [mailto:paviles@adjoined.com]
> Sent: Wednesday, January 19, 2005 3:30 PM
> To: focus-ms@securityfocus.com
> Subject: Dhcp security
> 
> I have a weird question maybe. Is there a way to prevent our DHCP from
> giving leases to computers not in our domain? I don't want anyone that walks
> in to just connect and have the possibility of a network viruses getting
> loose. Is this possible?
> 
> My setup is a typical AD 2K environment, simple domain no empty root.
> 
> Thanks 
> 
> Paul
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Manuel Sousa: "Domain logon without network connection + group policies"