-----Mensaje original-----
De: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
En nombre de John Bailey
Enviado el: Viernes, 22 de Mayo de 2009 12:53
Para: Doug McFarland
CC: security-basics@xxxxxxxxxxxxxxxxx
Asunto: Re: DHCP

Doug McFarland wrote:
Hi all,

I am looking for a way to block any PC that plugs into my network
is not authorized to access any network resources-servers, firewalls,

etc. Is there a way in DHCP that I can add reservations just for the
PCs that I want to allow the network resources and any other
that happens to be plugged into the network either doesn't get an IP
address, gets a dummy IP address, or something else? I've heard
Windows Server 2008 can do this, but I'm not sure about 2003. Any
suggestions would be greatly appreciated.

Best regards,


You can create reservations for every client, sure. If you have no
addresses in the scope that are not excluded for reservations,
additional clients will not be able to obtain an IP address. That has
only limited usefulness, though, as anyone with sufficient clue can
modify their MAC address to match one of the existing clients and plug
in in its place. For a Linux user, it's trivial--"ifconfig eth0 hw
ether xx:xx:xx:xx:xx:xx", and for other OSes it's only somewhat more



Step 1: create a DHCP server with information about your "registered"
MAC, this server will send IP address and parameters for configure the
*authorized* clients.
Step 2: create a second DHCP server with information about an
nonexistant network (another IP scope), several parameters, and, this is
the important part, a DNS record for a nonexistant server wich route is
found inside your network (lets say an internat machine wich is not
configured), now you can obtain a list for the MAC registered with this
Step 3: take as input the *decoy MAC* address list and send to them a
FIN frame every 5 minutes.
Step 4: You can take a look at your firewall interla interface for the
MAC address coming from inside your network. You can sort this list and
remove *authorized* MAC address, according to information actualy keep
from step 1.
Step 5: Add the address that remains in the list of Step 4 and go back
Step 3.

It's done.

I hope this could help.

This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff!

Relevant Pages

  • Re: Preventing DHCP from allocating IPs
    ... Each segment is physically separate with a Linux ... unknown MAC addresses firstly don't get a DHCP ... >> wants access to your network, they will have to come to you to obtain ...
  • RE: Problems with Permissions
    ... For the "Network Configuration Wizard" not accessible issue, ... The DHCP not working properly issue may due to DNS not correctly ... ipconfig /all on SBS server, ...
  • Re: Setting up dhcp-server on my desktop machine
    ... Your server is configured to use dhcp to acquire a network address? ... I don't know how to setup my interfaces so I achieve my goal. ... Setting up a dhcp server is completely independent of setting up the ...
  • Re: networking private and public hosts questions
    ... some systmes in storage to create a test network. ... a WS to the child and attempted to pull an IP from the DHCP server, ...
  • Re: Multiple IP Schemes for Different Buildings
    ... The linksys on your first network stays as it is, ... DHCP broadcast is on the local subnet only, ... router to forward internet traffic to your firewall. ... If each server has it's own DHCP server then I don't need to worry ...