Re: Certificate-based DHCP authentication
From: karl levinson, mvp (levinson_k_at_despammed.com)
Date: 11/24/05
- Next message: karl levinson, mvp: "Re: Securing SQL"
- Previous message: Roger Abell [MVP]: "Re: How to Stop a Service From Impersonating Other Users"
- In reply to: Miha Pihler [MVP]: "Re: Certificate-based DHCP authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 24 Nov 2005 08:37:25 -0500
"Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
news:OvdwiLF8FHA.1000@tk2msftngp13.phx.gbl...
> There are few solutions out there --
> - first one to mention is 802.1x where you authenticate computer on switch
> port. For this to work you need switch that supports authentication and
> enough ports to connect every PC to one of these ports. Next, you need to
> setup RADIUS server and certificates etc... In the end you need clients
> that know how to work with 802.1x (e.g. Windows 2000 SP4 or later).
Many switch / router vendors already have such an 802.1x solution, and most
of it is free. Cisco NAC is one such solution, although I believe you would
need to buy a Cisco radius server to make it happen.
However, there is another, arguably cheaper alternative. Enable "port
security" on your switches to map each switch port to a specific MAC
address, wherever possible. You''d want to decide whether you want to
enable switch port security on shared ports such as ports in conference
rooms. If you have any hubs, you'd want to try to get rid of those as those
defeat port security. This is fairly secure, but a possible drawback is
that it prevents people from easily moving around to other network jacks
without calling you for help first.
Or, you can configure your DHCP servers with static lease mappings of IP
address to MAC address. This is somewhat less secure, in that determined
inside attackers may be able to easily sniff the traffic or steal a network
card in order to spoof and hijack a valid MAC or IP address... also it does
nothing to inhibit people who enter in a valid static IP address. However
if this is to protect your internal network, this might be enough security
for your needs, it's up to you. The possible advantage here is that an
authorized computer can get a network connection from any network jack
without reconfiguration.
These two solutions create a bit of administrative overhead, but then so
does every solution to do this, including every solution mentioned so far.
- Next message: karl levinson, mvp: "Re: Securing SQL"
- Previous message: Roger Abell [MVP]: "Re: How to Stop a Service From Impersonating Other Users"
- In reply to: Miha Pihler [MVP]: "Re: Certificate-based DHCP authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
