Re: DHCP

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 04/15/03 

From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Tue, 15 Apr 2003 15:32:49 -0400

I don't see how this is really feasible, considering that 1) DHCP would be
responsible for passing IP addresses to Linux and other non-Windows clients,
2) you'd need to design and install DHCP client software for all Microsoft
and non-Microsoft platforms, 3) this would all differ and conflict with
existing DHCP RFCs which are not under Microsoft's control, 4) you'd have to
configure every computer to be able to authenticate before putting it on the
network, 5) the authentication would probably need to be per machine and not
per user, so that this would not prevent an unauthorized person from using
an authorized computer, and most importantly:

6) none of this would prevent an intruder from choosing their own static IP
address and getting on the network anyways.

This question is frequently asked here, and the usual answer is either

1) to use DHCP reservations on the server to bind a particular MAC address /
NIC card to a particular IP address [which might be a lot of work for the
administrator to do if the network was large],

2) use a network IDS product to monitor MAC address to IP address mappings
[which would possibly generate a lot of false alarms and extra work and
would just be detective and not preventative] or

3) use some form of per-user authentication at the switch, proxy server or
firewall.

You can search the microsoft.public.* newsgroups for past answers on this by
going to www.google.com/advanced_group_search

"Gabe" <gabe_voss@nps.gov> wrote in message
news:04b001c3036f$762e60f0$2f01280a@phx.gbl...
> consider the following:
> Joe Bloe sneaks into our office building with his own
> notebook computer. He finds an empty office, plugs his
> notebook into the network port on the wall, fires it up,
> does a login to his notebooks local account and gets an
> IP address and access to WAN resources without knowing
> even as much as a username, password, or domain name.
>
>
> ok, maybe my IT security person is being a bit PARANOID.
>
> This could happen. Are there plans for
> an "authenticating" DHCP server from microsoft?
> .
>
>

Relevant Pages

  • Re: networking private and public hosts questions
    ... some systmes in storage to create a test network. ... a WS to the child and attempted to pull an IP from the DHCP server, ...
    (microsoft.public.win2000.networking)
  • Re: A little FYI
    ... > fix for a different problem or end up making the same configuration ... Maybe faulty network equipment, ... > to look at what might interfere with DHCP. ... you were not here as I was trying to get the card to stay ...
    (comp.security.firewalls)
  • Re: Preventing DHCP from allocating IPs
    ... Each segment is physically separate with a Linux ... unknown MAC addresses firstly don't get a DHCP ... >> wants access to your network, they will have to come to you to obtain ...
    (Security-Basics)
  • Re: Limited or No Connectivity
    ... When I manually set the TCP/IP address on the Notebook to 192.168.0.10 - ... and Mapped Network Drives work just fine along with my Network Places. ... When you put #s in manually your overriding the DHCP ...
    (microsoft.public.windowsxp.network_web)
  • Cable Connectivity
    ... address for the Network Card with network address 00402B2F688C. ... The DHCP Client service on your computer did not receive a response ... If connection with the network is not established using this APIP ... the DHCP Client service will try to contact the DHCP server ...
    (microsoft.public.windowsxp.general)