Re: DHCP Security

From: Karl Levinson [x y] mvp (levinson_k@despammed.com)
Date: 02/16/03


From: "Karl Levinson [x y] mvp" <levinson_k@despammed.com>
Date: Sun, 16 Feb 2003 08:21:32 -0500


"SiuLung" <siulung@rogers.com> wrote in message
news:L%Z2a.680312$F2h1.157293@news01.bloor.is.net.cable.rogers.com...

> there is 2 things i would like to add in which is i want all the
> workstation have to login to the domain inorder to get a IP and/or to have
> access at the RRAS server ( which means they have to logoin to the domain
to
> get on internet) , i have set the DHCP to provide IP and RRAS to act as an
> internet gateway.

I don't think it's possible or desirable to block machines from getting an
IP address in this way, and it's probably not a good idea if it was
possible. If this was possible, you'd need to communicate with the server
using IPX or non-routable NetBEUI since you wouldn't have an IP address yet.
This is probably not a great idea. At any rate, this would not prevent
someone from entering in a static IP address to get to the internet.

What you want is a firewall or proxy server that can do user authentication.
Most of them can. www.netscreen.com 5XP runs about $500 US and is one of
the cheaper solutions for this. Or, Squid is a free proxy that will
probably do this.

I don't think the level of security you're looking for is built into DHCP,
certainly not Windows DHCP. If you still want to use DHCP to block
unauthorized computers from getting IP addresses, you could try setting up a
DHCP reservation on the DHCP servers for every computer out there. You'd
have to know the MAC address for every NIC card out there and any new NIC
card or machine would not get an IP address. This is per-computer security,
so it would not block unauthorized users on an authorized machine, and would
not prevent someone on Windows 9x/ME or someone with administrative access
to the machine from entering in a static IP address to get on the network.
Also, note that spoofing MAC addresses is trivial. To get the MAC address
of a computer on the network, ping the computer and then run the ARP -a
command.

PS I hope you have at least a second DHCP server service set up somewhere,
as if your DHCP server goes down or crashes, you only have a day or a few
days to notice and fix the problem before your computers stop being able to
use the internet. DHCP services shouldn't take up too much resources on the
server, so you should be able to set them up on just about any server there
[though if you're using Active Directory-integrated DNS for the security
features there, there's a certain caveat about not installing DHCP on your
DNS server or domain controller, can't fully remember].

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.449 / Virus Database: 251 - Release Date: 1/27/2003