RE: Dhcp security

From: Pidgorny, Slav (slav.pidgorny_at_anz.com)
Date: 01/27/05

Next message: Danny: "Re: Domain logon without network connection + group policies"

Previous message: STEVE MAKOUSKY: "Re: Domain logon without network connection + group policies"
Maybe in reply to: Paul Aviles: "Dhcp security"
Next in thread: Cory Stoker: "Re: Dhcp security"
Reply: Cory Stoker: "Re: Dhcp security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 28 Jan 2005 09:50:24 +1100
To: "Cory Stoker" <cory@clearnetsec.com>, <focus-ms@securityfocus.com>

Hi Cory,

Just few notes about 802.1x:

* For the wired networks, 802.1x (as implemented by Microsoft and Cisco) just enables a switch port after one of the devices connected to the port authenticates - because the link between the switch port and the client is sort of trusted by 802.1x. As such, this allows to place unauthorised devices on the 802.1x-enabled network. I have conducted a proof of concept for this:

http://sl.mvps.org/docs/802dot1x.htm

Note that only physical connection is required - all the necessary information to create the "shadow host" can be sniffed. Shadow host will receive DHCP leases and bypass any MAC controls in place.

* Microsoft has plans to implement NAP for 802.1x, as well as for DHCP and IPsec. Choosing IPsec over 802.1x and especially DHCP is a good idea though.

Regards

Slav

> -----Original Message-----
> From: Cory Stoker [mailto:cory@clearnetsec.com]

> 802.1x is a standard of authentication network
> connections via
> EAP over Ethernet which is not a quarantining method per se
> but it would
> prevent anyone from connecting to your LAN that does not have
> a password and
> username....
>

---------------------------------------------------------------------------
---------------------------------------------------------------------------

Next message: Danny: "Re: Domain logon without network connection + group policies"

Previous message: STEVE MAKOUSKY: "Re: Domain logon without network connection + group policies"
Maybe in reply to: Paul Aviles: "Dhcp security"
Next in thread: Cory Stoker: "Re: Dhcp security"
Reply: Cory Stoker: "Re: Dhcp security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Router install problem
... that's the Internet (the Wide Area ... LAN side of the router is ... "Internet Connection Wizard" are relevant to the way I was trying to ... and 5 buttons on the left (Wizard, Wireless, WAN, LAN, DHCP). ...
(microsoft.public.windowsxp.network_web)
Re: No DNS resolution with ICS
... >> Then switch it back to DHCP. ... >> Microsoft Knowledge Base Articles dealing with Internet Connection ... I have a feeling that either the PPPoE installation on ... F&P and MS Client is NOT needed on the external interface. ...
(microsoft.public.win2000.dns)
Re: Vista Client will not connect to SBS network suddenly
... When Steve mentioned about ISA 2004 causing DHCP connection problems, ... DHCP problem. ... while waiting for the DHCP server. ... Cris Hanna [SBS - MVP] ...
(microsoft.public.windows.server.sbs)
Re: Router install problem
... that's the Internet (the Wide Area ... LAN side of the router is ... "Internet Connection Wizard" are relevant to the way I was trying to ... Click the DHCP button. ...
(microsoft.public.windowsxp.network_web)
Re: DHCP too slow - trying to cache
... So, when you *don't* use DHCP, the connection is 20-30 seconds faster? ... > wi-fi television remote control designed to be used in the home. ... Even if you've reconnected before the lease expires, ...
(microsoft.public.windowsce.app.development)