DHCP Security

[RWD]

We keep having problems on our WAN with users putting PCs on their local WAN
without authorization to do so. Although the PC does not have any access to
our Windows network it does have the ability to use other network resources
including the internet. I know this probably sounds like a stuid question
but is there any way to secure DHCP to only work with authorized machines.
Is there any other way that could limit machines from being connected
without my authorizeation?

Thanks
RWD

 

[Miha Pihler]

Hi,

There is no easy way to do this. Clients use broadcasts to discover DHCP
server and there is no authentication process in this.

This would be possible using IEEE 802.1x. "Problem" with this solution is
usually the price and technical implementation. Among other things you need
network switches that support IEEE 802.1x, clients that support it (e.g.
Windows 2000 SP4 or newer operating system) and database to check against
(e.g. active directory). Before client is allowed on the network it has to
authenticate with network switch. If the client sends valid user information
(checked against active directory) the client get e.g. DHCP assigned IP.

There are few more things you can do for safety of your network. Don't patch
all network outlets to your network. Patch only the ones in use. Implement
IPSec. Only computers that are in domain will be able to participate in
IPSec protected network (if you configure it so). So any outside computers
that would be plugged on your network would not be able to attack your
server or infect them with e.g. worms/virus.

You could also implement proxy on your network (e.g. ISA server -- again it
is not cheap solution). This proxy could require domain authentication. If
computer would not be in domain, it could not access internet...

Microsoft is looking into providing secure access on the network, but this
will only be available some time next year and only to the latest version of
Microsoft clients. Again as it looks now, this will only work as long as
clients will use DHCP. If they will manually assign themselves an IP address
they will bypass this network security check...

Network Access Protection
http://www.microsoft.com/windowsserver2003/technologies/networking/nap/default.mspx

Mike

 

[Steven L Umbach]

Mike gave a good solution. Many switches also offer mac address filtering
that will block access to computers not in the table of authorized mac
addresses. While this is not near as good as 802.1X since users can alter
their mac addresses, that will be unlikely in almost all cases except for
junior hackers on the network that should be dealt with severely. I use a HP
2512 Procurve [also 802.1X capable] switch at home and it can go into a
"memorize" mode to learn current mac addresses and you can specify the ports
to do such on. Since it is a managed switch, ports can be closed by the
admin easily from any computer on the lan. I would also suggest that you
issue a computer usage policy for users. Have them sign it and give them a
copy. My guess is that after the first person get three days off of work due
to plugging an unauthorized computer on the network that the word will get
around fast. Managed switches with advanced security are not as expensive as
they used to be. See the link below on how HP explains the use of 802.1x and
the concept of a guest vlan if interested. --- Steve

http://www.hp.com/rnd/pdf_html/guest_vlan_paper.htm
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&category=71523&item=5724344142&rd=1
-- example of such a switch. I believe HP gives them a lifetime warranty
with drivers and documentation available at their webpage.
http://www.hp.com/rnd/products/switches/switch2524-2512/features.htm

 

[RWD]

Thank you guys for those suggestions.