W
Will
We want to put our AD domain controllers behind a firewall on a dedicated
network segment. If we do this, however, now DHCP on the AD stops working
because DHCP clients need to be on the same segment as the server.
One question I have is does DHCP as Microsoft implements it require that
TCP/IP be activated on the ethernet card? It looks like the answer is yes,
and that's a shame since DHCP lives below IP it should not in theory require
it to be active? If we could deactivate IP on an ethernet segment, then we
could place a second port on the AD DHCP server onto the local segment that
has the clients and let DHCP do its thing without worrying about IP attacks
against the AD server.
Does anyone make a DHCP relay that does not require installation on the
firewall itself? I realize Microsoft has a DHCP relay, but all of the
install instructions I have seen place it on the ISA Server directly. I
would prefer to not have servers running on a firewall because they
represent just one more potential for hacking the firewall. My
preference would be to find a relay that would reside outside the firewall -
on the client network - that would then pass through requests to a
counterpart on the protected network that could then impersonate the clients
and make DHCP requests on their behalf to the true DHCP server. That lets
me configure a security rule on the firewall between the client and server
portions of the DHCP relay, and keeps software off the firewall itself.
If someone knows of a third party product that does this, or may some simply
UNIX-based software, that would work as well. A feature I would like to
see on this product is automatic notification by e-mail whenever a rogue mac
address either requests an IP address, or even attempts to use the network.
If we put the DHCP relay on a sniffer port of the network switch, it could
scan all of the arp activity on the segment and look for unauthorized mac
addresses.
network segment. If we do this, however, now DHCP on the AD stops working
because DHCP clients need to be on the same segment as the server.
One question I have is does DHCP as Microsoft implements it require that
TCP/IP be activated on the ethernet card? It looks like the answer is yes,
and that's a shame since DHCP lives below IP it should not in theory require
it to be active? If we could deactivate IP on an ethernet segment, then we
could place a second port on the AD DHCP server onto the local segment that
has the clients and let DHCP do its thing without worrying about IP attacks
against the AD server.
Does anyone make a DHCP relay that does not require installation on the
firewall itself? I realize Microsoft has a DHCP relay, but all of the
install instructions I have seen place it on the ISA Server directly. I
would prefer to not have servers running on a firewall because they
represent just one more potential for hacking the firewall. My
preference would be to find a relay that would reside outside the firewall -
on the client network - that would then pass through requests to a
counterpart on the protected network that could then impersonate the clients
and make DHCP requests on their behalf to the true DHCP server. That lets
me configure a security rule on the firewall between the client and server
portions of the DHCP relay, and keeps software off the firewall itself.
If someone knows of a third party product that does this, or may some simply
UNIX-based software, that would work as well. A feature I would like to
see on this product is automatic notification by e-mail whenever a rogue mac
address either requests an IP address, or even attempts to use the network.
If we put the DHCP relay on a sniffer port of the network switch, it could
scan all of the arp activity on the segment and look for unauthorized mac
addresses.