Re: assigning ip addresses on a secure way

From: eric romero (e.romero_at_cgnet.com)
Date: 08/19/04

• Next message: Penny: "my IE has been hijacked!!!"
• Previous message: Lost: "skybot"
• In reply to: Steven L Umbach: "Re: assigning ip addresses on a secure way"
• Next in thread: Steven L Umbach: "Re: assigning ip addresses on a secure way"
• Reply: Steven L Umbach: "Re: assigning ip addresses on a secure way"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 19 Aug 2004 13:59:48 -0700

thank you for the information, probably the answer is no but I still want to
ask, DHCP superscopes looks to me that I can create 2 scopes 192.168. and
10.3.15 so the dhcp will assign these ips, is it possible under the
superscope scenario to configure the DHCP to assign 10.3.ip s just to the
office computers and 192.168 to a visitor?

thx
"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:lSTUc.281905$%_6.28000@attbi_s01...
> DHCP works off of broadcasts. In a normal network configuration, any
computer that
> has network access to a DHCP server can get an address as long as there
are address
> leases available that are not reserved. DHCP reservations can take a lot
of time to
> configure on a larger network and there are reports of users saying that
unused
> reservations have been leased to DHCP clients booting on the network when
there are
> no addresses left in the lease pool.
>
> One way to manage what you want is to use a managed switch with security
features.
> These type of switches are reasonably priced these days. For instance the
HP Procurve
> 2524 goes for $400 or less on Ebay with a lifetime warranty and with
current firmware
> offers port isolation, mac filtering, vlans, and 802.1X authentication.
That switch
> allows you to filter mac addresses in a learn mode that can lock ports to
the current
> mac address without any manual configuration of address tables. It can
also bock a
> port where an intrusion is detected and issue an alert. Note that mac
address
> security is not 100 percent secure but is still a good measure to block
access from
> all but malicious users which should be dealt with severely. 802.1X is
much better
> but involves more infrastructure and compatible operating systems. Port
isolation
> allows ports on the switch to only access other assigned ports in a
variety of
> configurations and can allow all computers internet access while not
allowing access
> to other restricted ports on the switch.
>
> http://www.hp.com/rnd/products/switches/switch2524-2512/overview.htm
>
> Using DHCP as a security measure is of little value in that it is easy to
find the
> network IP address of a lan and manually configure tcp/ip info to gain
access.
> Another option is ipsec policies. Only W2K, XP Pro, and Windows 2003 are
ipsec aware.
> Within a domain ipsec by default will use kerberos authentication and any
computer
> that is not a domain member will not be authenticated for ipsec. Any
computer that
> has an ipsec require policy will refuse connection attempts from computers
that can
> not use ipsec or comply with the ipsec policy. However domain controllers
can not
> engage in ipsec ESP/AH communications with domain members and need to be
exempt from
> such ipsec policies by their static IP addresses. --- Steve
>
>
http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp

-- 
> ipsec procedures.
>
>
> "eric romero" <e.romero@cgnet.com> wrote in message
> news:%23b9xPnWhEHA.2908@TK2MSFTNGP10.phx.gbl...
> > Hi all,
> >
> > I have a Microsoft domain running Microsoft DHCP, I want to know what is
the
> > best way to assign ips securely.
> > i.e if a vendor comes to the office I do not want his/her latop to
obtain an
> > ip, ips must be assigned just to office's computers.
> >
> > thx
> >
> >
>
>

---

• Next message: Penny: "my IE has been hijacked!!!"
• Previous message: Lost: "skybot"
• In reply to: Steven L Umbach: "Re: assigning ip addresses on a secure way"
• Next in thread: Steven L Umbach: "Re: assigning ip addresses on a secure way"
• Reply: Steven L Umbach: "Re: assigning ip addresses on a secure way"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: assigning ip addresses on a secure way ... DHCP works off of broadcasts. ... has network access to a DHCP server can get an address as long as there are address ... allows you to filter mac addresses in a learn mode that can lock ports to the current ... Only W2K, XP Pro, and Windows 2003 are ipsec aware. ... (microsoft.public.security) Re: Group policy to restrict who Recieves an IP from DHCP??? ... DHCP is not a good security mechanism though you can use reservations that ... capable switches, compatible operating systems, PKI, and IAS server on the ... Ipsec may be something to look at. ... While you can use ipsec to protect domain computers, ... (microsoft.public.win2000.group_policy) Re: assigning ip addresses on a secure way ... > superscope scenario to configure the DHCP to assign 10.3.ip s just to the ... >> allows you to filter mac addresses in a learn mode that can lock ports to ... >> configurations and can allow all computers internet access while not ... >> Within a domain ipsec by default will use kerberos authentication and any ... (microsoft.public.security) Re: How to find IP address of a machine on network? ... few devices which get their address by DHCP". ... I'm not seeing the difference here - nmap certainly shows all the computers ... Interesting ports on 192.168.0.11: ... 80/tcp open http ... (Ubuntu) Re: Firewalls and PCI ... DHCP all an attacker with zero knowledge of the network configuration ... a comment about IPSec: ... (Security-Basics)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)