Re: IP address assignment problem
- From: Denis Jedig <seclists@xxxxxxxxxxxx>
- Date: Sat, 26 Aug 2006 01:32:43 +0200
Davy Davidson wrote:
I have a little problem and seek for ur thoughts, let's assume I'm in a very open environment where everyone can very easily try to get his/her laptop on the network and IP addresses are assigned by a DHCP server and we are in a domain environment, how do I prevent machines that are not part of our domain to be assigned an IP address?
This is a chicken-egg-problem: Since DHCP is preceding all meaningful communication in most networks, this only can be done by denying DHCP communication beforehand. The Clients will need to prove that they are members of the domain before they are able to get served by a DHCP server. You can achieve this by using 802.1x throughout your network, but this will require appropriate equipment.
Mostly, the problem "I do not want to get them a DHCP address" can be refined as "I do not want them to communicate with any of my domain members" which can be achieved by for example only allowing encrypted communications (i.e. implementing IPSEC) for every domain member. You should be able to trust the domain authentication mechanisms not to let just anybody to get to your domain machines, providing your password policy is feasible, your systems are patched and access controls are set correctly (read: with the least privelege needed).
Denis
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- References:
- IP address assignment problem
- From: Davy Davidson
- IP address assignment problem
- Prev by Date: RE: IP address assignment problem
- Next by Date: Re: IP address assignment problem
- Previous by thread: RE: IP address assignment problem
- Next by thread: Re: IP address assignment problem
- Index(es):
Relevant Pages
|
