Re: Security of IP addresses assgined by DHCP
From: Stuart Mackie (*REMOVEemail@example.com)
From: "Stuart Mackie" <*REMOVEfirstname.lastname@example.org> Date: Sat, 8 Mar 2003 22:49:04 -0000
I currently have a wireless (and wired) network at home. I'm currently
doing my MCSE and am quite security conscious and have came across a similar
problem to yourself. If you use Wireless hardware supporting 802.1X
authentication and have a certificate server you can configure the wireless
part of the network to only allow access if their username and or computer
has the appropriate certificates. I would presume (although haven't
implemented this) that you could apply the same method to a wired network.
In the case of 802.1X, if a system doesn't have the correct credentials they
don't get access to the network and therefore won't even get as far as
getting allocated their details from DHCP With this an some type of ACL
list in your wireless access point you should be relatively secure in terms
of access (WEP isn't good as you probably know so something extra for data
encryption such as VPN would also be good).
I would presume in the case of a wired network this may not be as easy but
still possible. Along similar lines with credential authentication possibly
with ISA server you may be able to configure your network, or at least a
gateway system to restrict access and stop users from just plugging in.
-- Hth, Stuart Mackie, MMVS www.stu.uk.com "Jim" <email@example.com> wrote in message news:firstname.lastname@example.org... > We have been wrestling with the issue of the use of DHCP > and the ability for any outside system once inside the > building and configured for DHCP being able to connect to > our network. We are examing policy concerning wireless > access, yet for any contractor/vendor allowed in the > building they can connect any non-corporate approved > device to the network and receive access via DHCP. > > Are their any DHCP configurations/software available that > would allow for some kind of "inspection" of the device > requesting an IP address from a DHCP server, and determine > if indeed this device is "approved" to receive an IP > address? I'm aware of techniques to utilize MAC addresses, > but this seems to potentially be an administration > nightmare. > > Thanks > > Jim