Re: assigning ip addresses on a secure way

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 08/20/04 

Date: Fri, 20 Aug 2004 00:55:10 GMT

As Phillip mentioned that will not work. --- Steve

"eric romero" <e.romero@cgnet.com> wrote in message
news:Op8049ihEHA.632@TK2MSFTNGP12.phx.gbl...
> thank you for the information, probably the answer is no but I still want to
> ask, DHCP superscopes looks to me that I can create 2 scopes 192.168. and
> 10.3.15 so the dhcp will assign these ips, is it possible under the
> superscope scenario to configure the DHCP to assign 10.3.ip s just to the
> office computers and 192.168 to a visitor?
>
> thx
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:lSTUc.281905$%_6.28000@attbi_s01...
>> DHCP works off of broadcasts. In a normal network configuration, any
> computer that
>> has network access to a DHCP server can get an address as long as there
> are address
>> leases available that are not reserved. DHCP reservations can take a lot
> of time to
>> configure on a larger network and there are reports of users saying that
> unused
>> reservations have been leased to DHCP clients booting on the network when
> there are
>> no addresses left in the lease pool.
>>
>> One way to manage what you want is to use a managed switch with security
> features.
>> These type of switches are reasonably priced these days. For instance the
> HP Procurve
>> 2524 goes for $400 or less on Ebay with a lifetime warranty and with
> current firmware
>> offers port isolation, mac filtering, vlans, and 802.1X authentication.
> That switch
>> allows you to filter mac addresses in a learn mode that can lock ports to
> the current
>> mac address without any manual configuration of address tables. It can
> also bock a
>> port where an intrusion is detected and issue an alert. Note that mac
> address
>> security is not 100 percent secure but is still a good measure to block
> access from
>> all but malicious users which should be dealt with severely. 802.1X is
> much better
>> but involves more infrastructure and compatible operating systems. Port
> isolation
>> allows ports on the switch to only access other assigned ports in a
> variety of
>> configurations and can allow all computers internet access while not
> allowing access
>> to other restricted ports on the switch.
>>
>> http://www.hp.com/rnd/products/switches/switch2524-2512/overview.htm
>>
>> Using DHCP as a security measure is of little value in that it is easy to
> find the
>> network IP address of a lan and manually configure tcp/ip info to gain
> access.
>> Another option is ipsec policies. Only W2K, XP Pro, and Windows 2003 are
> ipsec aware.
>> Within a domain ipsec by default will use kerberos authentication and any
> computer
>> that is not a domain member will not be authenticated for ipsec. Any
> computer that
>> has an ipsec require policy will refuse connection attempts from computers
> that can
>> not use ipsec or comply with the ipsec policy. However domain controllers
> can not
>> engage in ipsec ESP/AH communications with domain members and need to be
> exempt from
>> such ipsec policies by their static IP addresses. --- Steve
>>
>>
> http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
> --
>> ipsec procedures.
>>
>>
>> "eric romero" <e.romero@cgnet.com> wrote in message
>> news:%23b9xPnWhEHA.2908@TK2MSFTNGP10.phx.gbl...
>> > Hi all,
>> >
>> > I have a Microsoft domain running Microsoft DHCP, I want to know what is
> the
>> > best way to assign ips securely.
>> > i.e if a vendor comes to the office I do not want his/her latop to
> obtain an
>> > ip, ips must be assigned just to office's computers.
>> >
>> > thx
>> >
>> >
>>
>>
>
>

Relevant Pages

  • Re: assigning ip addresses on a secure way
    ... DHCP works off of broadcasts. ... has network access to a DHCP server can get an address as long as there are address ... allows you to filter mac addresses in a learn mode that can lock ports to the current ... Only W2K, XP Pro, and Windows 2003 are ipsec aware. ...
    (microsoft.public.security)
  • Re: Internet restrictions part 2
    ... Ipsec is very powerful, but often not used. ... prevent users from trying to access each others computers. ... Of course the "add workstations to the domain" user right would ... combinations of ports and just using AH. ...
    (microsoft.public.win2000.group_policy)
  • Re: How to find IP address of a machine on network?
    ... few devices which get their address by DHCP". ... I'm not seeing the difference here - nmap certainly shows all the computers ... Interesting ports on 192.168.0.11: ... 80/tcp open http ...
    (Ubuntu)
  • Re: stop DHCP
    ... Unfortunately since computers need network details before they can ... Limiting the scope of DHCP and reserving IPs for MAC ... One of the most effective solutions is to use IPSec AH (authentication ...
    (microsoft.public.windows.server.sbs)
  • Re: assigning ip addresses on a secure way
    ... DHCP superscopes looks to me that I can create 2 scopes 192.168. ... > allows you to filter mac addresses in a learn mode that can lock ports to ... > configurations and can allow all computers internet access while not ... > Within a domain ipsec by default will use kerberos authentication and any ...
    (microsoft.public.security)