Re: assigning ip addresses on a secure way
From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 08/19/04
- Next message: natej315_at_msn.com: "xp defrag"
- Previous message: Kevin Weilbacher [SBS-MVP]: "Re: MBSA 1.2.1 launched today"
- In reply to: eric romero: "assigning ip addresses on a secure way"
- Next in thread: eric romero: "Re: assigning ip addresses on a secure way"
- Reply: eric romero: "Re: assigning ip addresses on a secure way"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 19 Aug 2004 02:01:53 GMT
DHCP works off of broadcasts. In a normal network configuration, any computer that
has network access to a DHCP server can get an address as long as there are address
leases available that are not reserved. DHCP reservations can take a lot of time to
configure on a larger network and there are reports of users saying that unused
reservations have been leased to DHCP clients booting on the network when there are
no addresses left in the lease pool.
One way to manage what you want is to use a managed switch with security features.
These type of switches are reasonably priced these days. For instance the HP Procurve
2524 goes for $400 or less on Ebay with a lifetime warranty and with current firmware
offers port isolation, mac filtering, vlans, and 802.1X authentication. That switch
allows you to filter mac addresses in a learn mode that can lock ports to the current
mac address without any manual configuration of address tables. It can also bock a
port where an intrusion is detected and issue an alert. Note that mac address
security is not 100 percent secure but is still a good measure to block access from
all but malicious users which should be dealt with severely. 802.1X is much better
but involves more infrastructure and compatible operating systems. Port isolation
allows ports on the switch to only access other assigned ports in a variety of
configurations and can allow all computers internet access while not allowing access
to other restricted ports on the switch.
http://www.hp.com/rnd/products/switches/switch2524-2512/overview.htm
Using DHCP as a security measure is of little value in that it is easy to find the
network IP address of a lan and manually configure tcp/ip info to gain access.
Another option is ipsec policies. Only W2K, XP Pro, and Windows 2003 are ipsec aware.
Within a domain ipsec by default will use kerberos authentication and any computer
that is not a domain member will not be authenticated for ipsec. Any computer that
has an ipsec require policy will refuse connection attempts from computers that can
not use ipsec or comply with the ipsec policy. However domain controllers can not
engage in ipsec ESP/AH communications with domain members and need to be exempt from
such ipsec policies by their static IP addresses. --- Steve
http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp --
ipsec procedures.
"eric romero" <e.romero@cgnet.com> wrote in message
news:%23b9xPnWhEHA.2908@TK2MSFTNGP10.phx.gbl...
> Hi all,
>
> I have a Microsoft domain running Microsoft DHCP, I want to know what is the
> best way to assign ips securely.
> i.e if a vendor comes to the office I do not want his/her latop to obtain an
> ip, ips must be assigned just to office's computers.
>
> thx
>
>
- Next message: natej315_at_msn.com: "xp defrag"
- Previous message: Kevin Weilbacher [SBS-MVP]: "Re: MBSA 1.2.1 launched today"
- In reply to: eric romero: "assigning ip addresses on a secure way"
- Next in thread: eric romero: "Re: assigning ip addresses on a secure way"
- Reply: eric romero: "Re: assigning ip addresses on a secure way"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
