Re: Security of IP addresses assgined by DHCP
From: Stuart Mackie (*REMOVE*me@stu.uk.com)
Date: 03/09/03
- Next message: Billiejo: ""Messanger Service pop-up""
- Previous message: Stuart Mackie: "Re: Problems using Webenroll with certificate services"
- In reply to: Steven L Umbach: "Re: Security of IP addresses assgined by DHCP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Stuart Mackie" <*REMOVE*me@stu.uk.com> Date: Sun, 9 Mar 2003 00:45:33 -0000
Hi. IPsec is about the only thing I haven't used yet, need to get into that
:-)
-- Thanks, Stuart Mackie, MMVS www.stu.uk.com "Steven L Umbach" <sumbach@ameritech.net> wrote in message news:KKvaa.8492$3g.1606893@newssrv26.news.prodigy.com... > Hi Stuart. You bring up a lot of good points. If you have an all > W2K/2003 network than you can already do this to a large extent with > kerberos authentication for ipsec within a forest and if you do not want to > use encryption you can use just AH. But none of that (nor certificates) will > prevent dhcp from issuing tcp/ip addresses to unknown computers. The reason > is that when a computer boots up broadcasts are used to obtain a tcp/ip > address and a tcp/ip address must be obtained to even try to communicate and > authenticate with another computer . That is why reserved tcp/ip addresses > using the mac address of a nic card is about the only way to go for dhcp > security a since the mac addresses is a physical, not logical address. -- > Steve > > "Stuart Mackie" <*REMOVE*me@stu.uk.com> wrote in message > news:ejIj7Tc5CHA.2088@TK2MSFTNGP12.phx.gbl... > > I currently have a wireless (and wired) network at home. I'm currently > > doing my MCSE and am quite security conscious and have came across a > similar > > problem to yourself. If you use Wireless hardware supporting 802.1X > > authentication and have a certificate server you can configure the > wireless > > part of the network to only allow access if their username and or computer > > has the appropriate certificates. I would presume (although haven't > > implemented this) that you could apply the same method to a wired network. > > In the case of 802.1X, if a system doesn't have the correct credentials > they > > don't get access to the network and therefore won't even get as far as > > getting allocated their details from DHCP With this an some type of ACL > > list in your wireless access point you should be relatively secure in > terms > > of access (WEP isn't good as you probably know so something extra for data > > encryption such as VPN would also be good). > > > > I would presume in the case of a wired network this may not be as easy but > > still possible. Along similar lines with credential authentication > possibly > > with ISA server you may be able to configure your network, or at least a > > gateway system to restrict access and stop users from just plugging in. > > > > -- > > Hth, > > Stuart Mackie, MMVS > > www.stu.uk.com > > > > > > "Jim" <jim.garrett@lifeway.com> wrote in message > > news:03a801c2e3f4$3b5e33f0$3001280a@phx.gbl... > > > We have been wrestling with the issue of the use of DHCP > > > and the ability for any outside system once inside the > > > building and configured for DHCP being able to connect to > > > our network. We are examing policy concerning wireless > > > access, yet for any contractor/vendor allowed in the > > > building they can connect any non-corporate approved > > > device to the network and receive access via DHCP. > > > > > > Are their any DHCP configurations/software available that > > > would allow for some kind of "inspection" of the device > > > requesting an IP address from a DHCP server, and determine > > > if indeed this device is "approved" to receive an IP > > > address? I'm aware of techniques to utilize MAC addresses, > > > but this seems to potentially be an administration > > > nightmare. > > > > > > Thanks > > > > > > Jim > > > > > >
- Next message: Billiejo: ""Messanger Service pop-up""
- Previous message: Stuart Mackie: "Re: Problems using Webenroll with certificate services"
- In reply to: Steven L Umbach: "Re: Security of IP addresses assgined by DHCP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
