DHCP security QUESTION

  • Thread starter Thread starter SPALE
  • Start date Start date
S

SPALE

Is there a possibility to secure my dhcp server to obtain IP adresses only
to computers in my domain?I have a lot of users who are not working in my
bank butt they can bring laptops and plug into network.Lately we have very
bad situation with virus from one of that laptops.
 
No way to stop this realy unless you assign static IP
addresses via DHCP "Resercations"to the MAC addresses of
your PC
major admin over head but it is about the only way I know
of.

Good luck


G
 
If you search back a few days you will find this question discussed. Bottom
line is no a dhcp server in W2K can not distinguish domain machines. It can
however dish out only reserved ip addresses to specific mac addresses which
in itself will not prevent knowledgeable users from statically configuring
their computers to obtain access. Other solutions included managed switches
that can filter mac addresses or use a radius server for machine
authentication such as 802.1x. Ipsec can also be used to secure certain
computers in a domain with a require policy and using kerberos
authentication or shared key in a non domain. However only W2K/XP/W2003 are
ipsec aware. Communicating a policy to these non employees or posting signs
may help, but if you can not get them fired it will probably be of little
use. --- Steve
 
Ultimately, the best solution to viruses is always going to be ANTIVIRUS
software that downloads updates automatically. Your internal computers have
to have the latest antivirus updates and Microsoft software patches, or else
they are going to be infected or hacked eventually by laptops, dial-up or
VPN remote user, email, etc. Controlling DHCP is not really antivirus,
because any solution you choose will have to allow those visitors to do
something to get permission to receive an IP address, and if they are
infected with a virus, they are going to have to download antivirus updates,
and that requires an IP address.

The usual answer to the question of DHCP security is either:

1) to use DHCP reservations on the server to bind a particular MAC address /
NIC card to a particular IP address [which might be a lot of work for the
administrator to do if the network was large],

2) use a network IDS product to monitor MAC address to IP address mappings
[which would possibly generate a lot of false alarms and extra work and
would just be detective and not preventative] or

3) use some form of per-user authentication at the switch, proxy server or
firewall.

You can set up static mac-to-IP address mappings in Windows DHCP,
the main problem in large environments being the overhead and the
inconvenience to users that have to call first to get you to reconfigure
DHCP to get an IP.

Note that controlling DHCP does *nothing* to prevent someone
from choosing a static IP to gain access. Another solution might be to
configure something like "port security" on your switch ports so that only
mac address X can use port Y.

You could consider a third party authentication product that automatically
puts new users into a DMZ until the product confirms their patch level,
policy settings and/or antivirus. I've heard a suggestion that the Windows
2003 Quarantine server feature could be modified to work for users on your
LAN, and companies like Sygate might have a solution to do this as well.
 
Back
Top