RE: Restricting DHCP addresses to known MAC's via Win2K DHCP server

From: Tim Vidas (iceburn@dangerzone.com)
Date: 05/20/02 

From: "Tim Vidas" <iceburn@dangerzone.com>
To: "'leon'" <leon.inyc@verizon.net>
Date: Mon, 20 May 2002 15:33:23 -0500

Port security isn't just available on cisco...it's available on many
'managed' switches...

You need be careful when picking a switch and look at all the different
features. For example on 3COM SuperStack switches you can set security
mode on or off for each port (it also learns the MAC of the first
frame), but doesn't offer a monitoring port (mirrors all traffic to the
port for administrative parsing) it only allows one port to be mirrored
at a time.

It's a good security move to disable the ports not in use (another
feature many managed switches have) and enable security on the ones that
are in use.

-tim

-----Original Message-----
From: leon [mailto:leon.inyc@verizon.net]
Sent: Friday, May 17, 2002 8:30 PM
To: dsmith@granite.com; security-basics@securityfocus.com
Subject: RE: Restricting DHCP addresses to known MAC's via Win2K DHCP
server

This can be done with cisco switches and port security. IN FACT you
don't even have to hard code the mac address you can actually tell the
switch to set the port for the mac addy of the first frame it recieves.

HTH,

Leon

-----Original Message-----
From: dsmith@granite.com [mailto:dsmith@granite.com]
Sent: Wednesday, May 15, 2002 10:04 AM
To: security-basics@securityfocus.com
Subject: Restricting DHCP addresses to known MAC's via Win2K DHCP server

There's been periodic discussion on this list about
restricting DHCP leases by MAC address and the relative
merits of doing so. My question is once the decision is
made to do it, how is it being done? Does anyone know how
to do it in a Win2K server environment? (Win2K DHCP
services...) If not possible, is there a typical strategy
people are using to restrict granting of DHCP addresses to
known MAC's?
 

Relevant Pages

  • Re: DHCP Strangest Problem I ever Seen in my life
    ... I debuged the switches and ... transmitting the DHCP discover etc? ... > 100 MB port fast ... DHCPDiscover (from client) ...
    (microsoft.public.win2000.networking)
  • Re: DHCP MAC Filter
    ... He is not mitigating a security vulnerability, ... > DHCP server should not be allowed to exist. ... > the system up into subnets with LAN Routers and use DHCP only in certain ... >>> this is for some security measure, look at your switches. ...
    (microsoft.public.windows.server.networking)
  • Unauthorised switchport access
    ... I am responsible for several LANs that include sharing WCs with other organisations, and therefore access to my 3750 switches in unlocked cabinets. ... I have no port security enabled and the ports are not shut down. ... I would like to know the security implications of having unused switchports available to anyone eg with a laptop & DHCP configured? ... EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ...
    (Security-Basics)
  • Re: DHCP Strangest Problem I ever Seen in my life
    ... Catalyst 3550 all the ports in all the switches are set to full duplex and ... 100 MB port fast ... network and the clients don't send a single packet to the dhcp, ... > DHCPDiscover (from client) ...
    (microsoft.public.win2000.networking)
  • RE: MAC Authentication device
    ... The best would be a switch which is looking onto DHCP packets on each port ... and therefore it should verify if the port is permitted to send any packet ... > managed switches can be used for this issue, but you have to keep in mind ...
    (Security-Basics)
Loading