My "wire" / not yours

My "wire" / not yours



I am looking for a way to secure DHCP. I have a network with all the
frills; DCHP, DNS, DOMAIN, Etc.



I know how to use DHCP to the point of settings address ranges etc.. What I
would like to do is make it so that machines that aren't know to me. Such as
users laptops and WiFi devices aren't allowed access to the network and
obtain an IP address unless I am notified and allow it.



Right now on the 2nd floor someone could just "jack" in and poof. they have
an IP.



Another thing I could do is this . I would set ISA to now allow network
access outside of the network (somehow) if they don't have a domain
user-id/password.



This being all said. Why would I want to even get an IP. If I don't know
you I don't know you . then again I don't know you why do I want you on my
wire!

 

I am looking for a way to secure DHCP....What I would like to do is make it

The options depend on your environment.

1) Avoid patching all network outlets, patch only the ones needed on a
case-by-case basis. Even if someone attaches network device to your outlet
it is not connected to anything. Only patch outlets that are in use.

Limitation: Only patching the required ports will not work if someone
simply unplugs a current computer and connect theirs instead.

2) If you have all Windows 2000 or above you could setup IPSec policy. If
setup correctly this will allow only computers that are in domain to
communicate among themselves and ignoring any other computer and device.

http://www.microsoft.com/technet/itsolutions/msit/security/ipsecdomisolwp.mspx

Limitation: This method is difficult to implement.

3) Another option would be IEEE 802.1x. This allows "port authentication"
(MAC-filtering). So any device that connects to network outlet must first
authenticate in e.g. AD before it can actually talk with other computers on
the network. This requires that you have switches that are IEEE 802.1x
compliant, AD 2003, IAS (RADIUS) and clients that are Windows 2000 SP4 or
newer.

Limitation: MAC-filtering can be defeated by someone who knows what they
are doing.

4) Set the MAC addresses of the machines which should get addresses into
DHCP with fixed reservations. Be aware however that a user with
adminsitrative access to a machine can configure a static IP address along
with other IP information onto the machine.

Limitation: When someone has administrative access to their machine, they
can simply enter a static IP address.

 

microsoft.public.windows.server.security news group, Todd J Heron

802.1x and MAC filtering have nothing at all to with one another.
Two totally and completely different technologies.

--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)

 

It is not impossible,...but for practical purposes you are almost just
wasting your time. The solution is not to prevent them from getting an IP#,
the solution is making sure that whatever IP# they get doesn't matter
anyway.

LAN Access is to be controlled by *who* the person is according to the
credentials they use and should *never* depend on what IP# they have or
don't have (although there are exceptions such as machines with static
IP#s).

This is obviously a weakness in many firewall products because they are
incapable of authenticating a user account.

DHCP is not a "secure" service. It is not meant to be run in a high
security situation. There are emerging technolgies to "quarentine" machines
and verify who/what they are before allowing them on the network. They are
not widespread, are very complex, and I have no exact examples to give.

 

I see your point. So why don't you go ahead and explain yours instead of
leaving it hanging like that. For the benefit of the group.

 

microsoft.public.windows.server.security news group, Todd J Heron

It actually isn't "my point", it is a technical fact. I was simply
pointing out the technical inaccuracy in your post.

If you now see "my point" why don't you take the time to explain why
your original post was technically inaccurate rather than leaving it
hanging like that? You know, for the benefit of the group.

--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)

 

Paul, this comes down to a simple bit of ettiquette.

You may as well have written "Your Wrong" without any qualification
whatsoever. If he had been completely wrong and did not know where and why,
your own answer leaves a lot to be desired as you have informed the group
you are now a self elected expert, that you DO know better, but that you are
not bothering to give any details.

You would be better off not posting at all with an attitude like that.

The best answers I see entail multiple people dotting each others i's and
crossing their t's in a complimentary fashion - everyone gets to learn. Not
everyone is an MVP or has time to always provide the most detailed answer,
or has time to research and include links to authoritative resources. Often
too, the most frequently correct answer is given as a solution to a problem.

Could you have contributed positively to the OP's question? You claim to be
able to, but did not. That failing is in your court and no one elses.

- Tim

 

In the end it comes down to this : some switches (probably all by now) allow
you to set the port to accept only one MAC address. You do not have to set
the MAC address that you want to enable. The switch will accept the first
one and refuse all others. We use this configuration to prevent users from
connecting hubs and switches or unauthorized computer. The problem with this
is that you will have to clear the port config when you want another
computer to connect to the port.

Sorry I do not know the protocol or the RFC but I know that Cisco 2900
series switches can do it.

 

Not true. My post indicated exactly what was wrong with Todd's post. A
couple of simple Google searches on 802.1x and MAC filtering would have
led to the specifics for anyone who cared to learn exactly why he was
totally wrong. As for why I didn't elaborate, well, you've answered that
question yourself now, haven't you?

Really? I at least took the time to point out the error in the post.
Better than nothing.

Exactly. You may want to repeat the above to yourself a couple of times
the next time you feel like jumping down someone's throat because the
content of their post doesn't fit with your idea of what exactly a
perfect post would be.


--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)

 

There can be many devices using same MAC address. That allows to bypass DHCP
security, and in some cases 802.1x and proprietary switch port security
solutions:

http://sl.mvps.org/docs/802dot1x.htm

 

Ok, you two,....somebody explain it. Flip a coin,..heads - Todd
explains,...tails - Paul explains.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

 

Phil, I'll take that question. Quoted description below followed by my
summary, with a comment regarding DHCP, in deference to the OP's question.

Quoted from:
http://64.233.161.104/search?q=cach...per.pdf+802.1x+MAC+filtering&hl=en&lr=lang_en
Original PDF location:
http://www.foundrynet.com/solutions/appNotes/PDFs/802.1xWhite_Paper.pdf

"Whilst technologies such as MAC filtering and Access Control Lists (ACLs)
are used to enhance overall network security, the IEEE 802.1x specification
provides another level of overall network protection:

..MAC filtering and ACLs assume that the administrator has an understanding
of what devices and traffic that should be allowed within the network. While
this can be achieved in limited scope, it is often too difficult to deploy
on a large-scale infrastructure. Most often, ACLs are used in core / data
center applications, and MAC filtering is deployed in potentially high-risk
network edge connections. This unfortunately does not provide the
comprehensive protection many network administrators are seeking.

..IEEE 802.1x is a new technology that provides almost unlimited scalability
with minimal administration overhead. By authenticating user access at the
network edge, network administrators can be assured that no unauthorized
access will take place, and all of the user authentication can take place on
a centralized authentication server."

/end quote

In summary, MAC filtering is a method by which an administrator configures
an "allowed" list of devices (by MAC address) which are allowed on the
network. This technology does not scale well and can be defeated if the
user of the client machine knows the allowed MAC address. It is more
administrative-intensive but less expensive to implement (at least on a
small network). IEEE 802.1x port requires a successful authentication by the
client machine accessing the network before any further traffic from the
client is allowed to transmit over the network, to include DHCP requests.
An "authenticator" located at the switch port and then sent to a RADIUS
server for evaluation. The RADIUS server then makes a judgment about
whether the client machine is allowed to authenticate. This technology
scales much better than MAC filtering and is much more secure. It is less
administrative-intensive but more expensive to implement.

 

why no just use reservations?

 

The best way to lock down your network is to enforce 802.1x with either
PEAP or EAP-TLS. Devices wishing to connect the network must present a
certificate which is verified by an access server (IAS for example).

Apparently, with HP Procurve switches, you can also configure a guest
vlan, which devices will be attached to if they fail to negotiate 802.1x

One benefit of going to the trouble of setting this up, is that you can
use autoenrollment to distribute certificates to computers. In the case
of laptops, they can use the same certificate for access to your
wireless network(s).

Regards