Re: DHCP restriction via MAC...
From: Faisal [MSFT] (faisal_at_online.microsoft.com)
Date: 05/18/05
- Next message: Valery Pryamikov: "Re: Hash of Public key"
- Previous message: Roger Abell: "Re: IE vulnerabilities..."
- In reply to: Karl Levinson, mvp: "Re: DHCP restriction via MAC..."
- Next in thread: Karl Levinson [x y], mvp: "Re: DHCP restriction via MAC..."
- Reply: Karl Levinson [x y], mvp: "Re: DHCP restriction via MAC..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 18 May 2005 13:15:32 +0400
I would suggest you going for IPsec, mac filtering is not repliable.
thnx
"Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message
news:%23aVJSB1WFHA.2684@TK2MSFTNGP09.phx.gbl...
> Agreed. While DHCP reservations per MAC are generally considered a pain,
> especially during initial setup, they aren't that much more of a pain than
> enabling port security to do mac address filtering on your switches. This
> is something else you could consider. I think it's somewhat more commonly
> done than DHCP mac address filtering, since it's more secure. It prevents
> people from selecting their own IP address, from collecting data by
> eavesdropping / sniffing, prevents use of other protocols besides TCP/IP,
> and prevents people from using man in the middle / session hijacking, etc.
>
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:uWDGpz0WFHA.4036@TK2MSFTNGP10.phx.gbl...
>> You could try to create a DHCP scope that has nothing but reservations
> which
>> map a mac address to an IP address in the scope. That can be very time
>> consuming on all but the smallest networks and I have read of users
>> saying
>> that DHCP still would dish out a reserved IP address to a computer if no
>> other IP addresses were available and there were reserved IP addresses
>> not
>> in use.
>>
>> DHCP reservations can be very useful but they are a poor security
> safeguard
>> as a user could simply assign static IP info to his computer that would
>> allow access and even potentially deny a legitimate computer from
> receiving
>> an IP address if the user assigns an IP that is in the DHCP scope
>> already.
>> Switches that can filter traffic by mac addresses, use 802.1X
>> authentication, or using ipsec in the domain are other ways to increase
>> security to prevent access from unauthorized computers. Mac filtering can
> be
>> easily spoofed by malicious users, 801.1X takes a lot of planning and
>> compatible hardware/operating systems, and ipsec can be very effective in
> a
>> domain if all the computers are ipsec capable. Ipsec can not however
> prevent
>> a computer from using DHCP server since DHCP is broadcast based but it
>> can
>> prevent a non domain computer from accessing a domain computer with an
> ipsec
>> "require" policy with default kerberos computer authentication. ---
> Steve
>>
>>
>>
>> "Steven Sinclair" <StevenSinclair@discussions.microsoft.com> wrote in
>> message news:098C4021-7036-4DBD-8171-8F33AA6ED0B9@microsoft.com...
>> > Windows 2003 Server Enterprise Edition
>> > Windows Built-In DHCP Service
>> >
>> > Is there any way to restrict whether or not a client on a local LAN
>> > receives
>> > a DHCP address from my server based on MAC address?
>> >
>> > Let's say I have a visiting vendor. I do not want that notebook
>> > computer
>> > to
>> > automatically pick up an IP address from my server as soon as he plugs
> the
>> > machine into my network. Instead, knowing his MAC address, I'd want the
>> > server not to assign him one.
>> >
>> > Thanx.
>>
>>
>
>
- Next message: Valery Pryamikov: "Re: Hash of Public key"
- Previous message: Roger Abell: "Re: IE vulnerabilities..."
- In reply to: Karl Levinson, mvp: "Re: DHCP restriction via MAC..."
- Next in thread: Karl Levinson [x y], mvp: "Re: DHCP restriction via MAC..."
- Reply: Karl Levinson [x y], mvp: "Re: DHCP restriction via MAC..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
