Re: Preventing DHCP from allocating IPs

From: Hasnain Atique (hatique@hasnains.com)
Date: 12/06/02

  • Next message: Anshuman Kanwar: "RE: how to search all machines on a network."
    From: "Hasnain Atique" <hatique@hasnains.com>
    To: <ssgill@gilltechnologies.com>, "Rick Darsey" <rdarsey@aims1.com>, "jon kintner" <jon.kintner@lvcm.com>, <security-basics@securityfocus.com>
    Date: Sat, 7 Dec 2002 02:30:23 +0800
    
    

    My solution was somewhat more elaborate.

    I'd separated the network into sections, each connecting to a "backbone" of
    sorts. Each segment is physically separate with a Linux
    router/gateway/firewall linking the section to the backbone. Each Linux box
    knows which MAC addresses are valid within its segment and only allows that
    through to the backbone. DHCP within each segment allocates IP addresses to
    known MACs only.

    Net result is that, unknown MAC addresses firstly don't get a DHCP
    allocation, and secondly can't make it outside of the local segment. Even if
    a smart user were to pick and choose an unused IP and used the right gateway
    address, because of MAC filtering they will be limited to the local segment.

    The downside is that every single MAC address has to be known before putting
    this in place (it's easily done with arpwatch), and there will be multiple
    gateways to maintain. But depending on your level of paranoia you'll
    probably like it.

    Finally, I certainly wouldn't want to automate the process of learning MAC
    addresses and updating DHCP allocation accordingly. Defeats the entire
    purpose!!

    ----- Original Message -----
    From: "Sarbjit Singh Gill" <ssgill@gilltechnologies.com>
    To: "Hasnain Atique" <hatique@hasnains.com>; "Rick Darsey"
    <rdarsey@aims1.com>; "jon kintner" <jon.kintner@lvcm.com>;
    <security-basics@securityfocus.com>
    Sent: Friday, December 06, 2002 4:24 PM
    Subject: RE: Preventing DHCP from allocating IPs

    > In my scenarios, the problem is some people who walk into this company are
    > visitors who come in with different lap tops each time they walk in.
    > Sometimes they are genuine visitors who has the right to use the LAN and
    > sometimes these people are visitors who we do not trust or are first time
    > visitors.
    >
    > Also the whole idea was to automate the process. Can the ICS dhcpd and
    dhcp
    > log, process be automated. I guess the matching of the MAC to the user
    will
    > have to very manual. And as i mentioned above, what happens if the dude
    > shows up again a few days later with another laptop.
    >
    > and of course the smart people to worry about.
    >
    > Cheers
    > Gill
    >
    > -----Original Message-----
    > From: Hasnain Atique [mailto:hatique@hasnains.com]
    > Sent: Friday, December 06, 2002 10:26 AM
    > To: ssgill@gilltechnologies.com; Rick Darsey; jon kintner;
    > security-basics@securityfocus.com
    > Subject: Re: Preventing DHCP from allocating IPs
    >
    >
    >
    > What about configuring DHCP to assign IP addresses to known MAC addresses
    > only? I know ISC dhcpd does this and have used it for a couple of clients.
    > It was fairly easy to build a dhcpd.conf from the dhcp log file .. so no
    > real headche with collecting MAC addresses for the initial configuration.
    > But you may still want to match each MAC address to its owner before
    putting
    > it in the config file.
    >
    > This still allows the smarter people to pick and choose an unused IP to
    > bypass the DHCP mechanism altogether. There's a cycle-intensive solution:
    > use iptables with MAC-matching for all known MACs.
    >
    > -- Hasnain
    >
    > ----- Original Message -----
    > From: "Sarbjit Singh Gill" <ssgill@gilltechnologies.com>
    > To: "Rick Darsey" <rdarsey@aims1.com>; "jon kintner"
    <jon.kintner@lvcm.com>;
    > <security-basics@securityfocus.com>
    > Sent: Thursday, December 05, 2002 7:14 AM
    > Subject: RE: Preventing DHCP from allocating IPs
    >
    >
    > > That was one of my options but seems like the Administrators did want to
    > be
    > > bothered every time somebody needed an IP.
    > >
    > > Gill
    > >
    > > -----Original Message-----
    > > From: Rick Darsey [mailto:rdarsey@aims1.com]
    > > Sent: Wednesday, December 04, 2002 4:05 AM
    > > To: jon kintner; ssgill@gilltechnologies.com;
    > > security-basics@securityfocus.com
    > > Subject: RE: Preventing DHCP from allocating IPs
    > >
    > >
    > >
    > > I know this sounds like a really bad way of doing this, but it is the
    only
    > > way I can come up with off the top of my head:
    > >
    > > Turn of DHCP!! Statically assign all addresses in your LAN. If a visitor
    > > wants access to your network, they will have to come to you to obtain
    the
    > > address, or better yet, create a small DHCP pool that visitors can use,
    > but
    > > limit the size to prevent users you do not want from accessing the
    > network.
    > > The initial setup of the static addresses will take time, but the small
    > DHCP
    > > pool will still allow visitors to plug in when needed.
    > >
    > > Rick
    > >
    > > -----Original Message-----
    > > From: jon kintner [mailto:jon.kintner@lvcm.com]
    > > Sent: Monday, December 02, 2002 1:04 PM
    > > To: ssgill@gilltechnologies.com; security-basics@securityfocus.com
    > > Subject: Re: Preventing DHCP from allocating IPs
    > >
    > >
    > > I know mac addresses can be spoofed pretty easily, but could you setup
    an
    > > access list or filter that would disallow all mac addresses except for
    the
    > > ones specified on your network(s)?
    > > The initial setup would probably be tedious, but it's worked fairly well
    > to
    > > keep most unauthorized logins off the network at the college I attend.
    > >
    > > -jon kintner
    > >
    > > ----- Original Message -----
    > > From: "Sarbjit Singh Gill" <ssgill@gilltechnologies.com>
    > > To: <security-basics@securityfocus.com>
    > > Sent: Monday, December 02, 2002 7:22 AM
    > > Subject: Preventing DHCP from allocating IPs
    > >
    > >
    > > > Greetings all,
    > > >
    > > > How do i prevent a client from getting an IP from my DHCP in an
    Ethernet
    > > > network. I know i could reserve IPs for all other clients and nobody
    > gets
    > > an
    > > > IP unless reserved earlier, but i have hundreds of clients. I
    frequently
    > > > have visitors who need to plug in their laptops into the network and i
    > > have
    > > > visitors who are not allowed to plug in their laptops into the network
    > and
    > > > get IPs. I do not want these visitors who are not allowed to access
    the
    > > > network to get an IP and start accessing internet through my network.
    > > >
    > > > What about in a wireless environment. How do i prevent it in a similar
    > > > capacity.
    > > >
    > > > Kind Regards
    > > > Gill
    > > >
    > >
    > >
    > >
    > >
    >
    >



    Relevant Pages

    • Re: Secure your DHCP
      ... I can only think of allocating via dhcp reservation using network card ... Create an exclusion of your whole DHCP scope (So no IP's are free to be ... assign each mac address an Ip address from what was in your pool. ...
      (microsoft.public.windows.server.sbs)
    • RE: DHCP
      ... Asunto: Re: DHCP ... I am looking for a way to block any PC that plugs into my network ... Windows Server 2008 can do this, but I'm not sure about 2003. ... MAC, this server will send IP address and parameters for configure the ...
      (Security-Basics)
    • RE: Blocked IP address - What is MAC 24:5e:0d:1c:06:b7 ?
      ... Can you elaborate some more about the DHCP question? ... Not sure why your get a different Mac address but on the terminal server you ... Also depends how your DHCP is setup, do you have DHCP on your network? ...
      (microsoft.public.windows.terminal_services)
    • Re: dial-up to ethernet
      ... >255.255.255.0 (Mac agrees), network is ... >Especially about DHCP? ... then restart networking ("/etc/init.d/networking restart", ...
      (Debian-User)
    • Re: running out of IP Address! help!
      ... The beauty of DHCP is that you can reconfigure the scope and reboot everyone ... Since you have .0 for a network and you need connectivity to .1 you can't ... You also could just segment your network a little. ...
      (microsoft.public.win2000.networking)