My "wire" / not yours

Discussion in 'Server Setup' started by Backup, Mar 22, 2005.

  1. Backup

    Backup Guest

    My "wire" / not yours



    I am looking for a way to secure DHCP. I have a network with all the
    frills; DCHP, DNS, DOMAIN, Etc.



    I know how to use DHCP to the point of settings address ranges etc.. What I
    would like to do is make it so that machines that aren't know to me. Such as
    users laptops and WiFi devices aren't allowed access to the network and
    obtain an IP address unless I am notified and allow it.



    Right now on the 2nd floor someone could just "jack" in and poof. they have
    an IP.



    Another thing I could do is this . I would set ISA to now allow network
    access outside of the network (somehow) if they don't have a domain
    user-id/password.



    This being all said. Why would I want to even get an IP. If I don't know
    you I don't know you . then again I don't know you why do I want you on my
    wire!
     
    Backup, Mar 22, 2005
    #1
    1. Advertisements

  2. Backup

    Todd J Heron Guest

    I am looking for a way to secure DHCP....What I would like to do is make it

    The options depend on your environment.

    1) Avoid patching all network outlets, patch only the ones needed on a
    case-by-case basis. Even if someone attaches network device to your outlet
    it is not connected to anything. Only patch outlets that are in use.

    Limitation: Only patching the required ports will not work if someone
    simply unplugs a current computer and connect theirs instead.

    2) If you have all Windows 2000 or above you could setup IPSec policy. If
    setup correctly this will allow only computers that are in domain to
    communicate among themselves and ignoring any other computer and device.

    http://www.microsoft.com/technet/itsolutions/msit/security/ipsecdomisolwp.mspx

    Limitation: This method is difficult to implement.

    3) Another option would be IEEE 802.1x. This allows "port authentication"
    (MAC-filtering). So any device that connects to network outlet must first
    authenticate in e.g. AD before it can actually talk with other computers on
    the network. This requires that you have switches that are IEEE 802.1x
    compliant, AD 2003, IAS (RADIUS) and clients that are Windows 2000 SP4 or
    newer.

    Limitation: MAC-filtering can be defeated by someone who knows what they
    are doing.

    4) Set the MAC addresses of the machines which should get addresses into
    DHCP with fixed reservations. Be aware however that a user with
    adminsitrative access to a machine can configure a static IP address along
    with other IP information onto the machine.

    Limitation: When someone has administrative access to their machine, they
    can simply enter a static IP address.
     
    Todd J Heron, Mar 22, 2005
    #2
    1. Advertisements

  3. Backup

    Paul Adare Guest

    microsoft.public.windows.server.security news group, Todd J Heron
    802.1x and MAC filtering have nothing at all to with one another.
    Two totally and completely different technologies.

    --
    Paul Adare
    "On two occasions, I have been asked [by members of Parliament],
    'Pray, Mr. Babbage, if you put into the machine wrong figures,
    will the right answers come out?' I am not able to rightly apprehend
    the kind of confusion of ideas that could provoke such a question."
    -- Charles Babbage (1791-1871)
     
    Paul Adare, Mar 22, 2005
    #3
  4. It is not impossible,...but for practical purposes you are almost just
    wasting your time. The solution is not to prevent them from getting an IP#,
    the solution is making sure that whatever IP# they get doesn't matter
    anyway.

    LAN Access is to be controlled by *who* the person is according to the
    credentials they use and should *never* depend on what IP# they have or
    don't have (although there are exceptions such as machines with static
    IP#s).

    This is obviously a weakness in many firewall products because they are
    incapable of authenticating a user account.

    DHCP is not a "secure" service. It is not meant to be run in a high
    security situation. There are emerging technolgies to "quarentine" machines
    and verify who/what they are before allowing them on the network. They are
    not widespread, are very complex, and I have no exact examples to give.
     
    Phillip Windell, Mar 22, 2005
    #4
  5. Backup

    Todd J Heron Guest

    I see your point. So why don't you go ahead and explain yours instead of
    leaving it hanging like that. For the benefit of the group.
     
    Todd J Heron, Mar 23, 2005
    #5
  6. Backup

    Paul Adare Guest

    microsoft.public.windows.server.security news group, Todd J Heron
    It actually isn't "my point", it is a technical fact. I was simply
    pointing out the technical inaccuracy in your post.

    If you now see "my point" why don't you take the time to explain why
    your original post was technically inaccurate rather than leaving it
    hanging like that? You know, for the benefit of the group.

    --
    Paul Adare
    "On two occasions, I have been asked [by members of Parliament],
    'Pray, Mr. Babbage, if you put into the machine wrong figures,
    will the right answers come out?' I am not able to rightly apprehend
    the kind of confusion of ideas that could provoke such a question."
    -- Charles Babbage (1791-1871)
     
    Paul Adare, Mar 23, 2005
    #6
  7. Backup

    Tim Guest

    Paul, this comes down to a simple bit of ettiquette.

    You may as well have written "Your Wrong" without any qualification
    whatsoever. If he had been completely wrong and did not know where and why,
    your own answer leaves a lot to be desired as you have informed the group
    you are now a self elected expert, that you DO know better, but that you are
    not bothering to give any details.

    You would be better off not posting at all with an attitude like that.

    The best answers I see entail multiple people dotting each others i's and
    crossing their t's in a complimentary fashion - everyone gets to learn. Not
    everyone is an MVP or has time to always provide the most detailed answer,
    or has time to research and include links to authoritative resources. Often
    too, the most frequently correct answer is given as a solution to a problem.

    Could you have contributed positively to the OP's question? You claim to be
    able to, but did not. That failing is in your court and no one elses.

    - Tim





     
    Tim, Mar 23, 2005
    #7
  8. Backup

    Sylvie Guest

    In the end it comes down to this : some switches (probably all by now) allow
    you to set the port to accept only one MAC address. You do not have to set
    the MAC address that you want to enable. The switch will accept the first
    one and refuse all others. We use this configuration to prevent users from
    connecting hubs and switches or unauthorized computer. The problem with this
    is that you will have to clear the port config when you want another
    computer to connect to the port.

    Sorry I do not know the protocol or the RFC but I know that Cisco 2900
    series switches can do it.
     
    Sylvie, Mar 23, 2005
    #8
  9. Backup

    Paul Adare Guest

    Not true. My post indicated exactly what was wrong with Todd's post. A
    couple of simple Google searches on 802.1x and MAC filtering would have
    led to the specifics for anyone who cared to learn exactly why he was
    totally wrong. As for why I didn't elaborate, well, you've answered that
    question yourself now, haven't you?
    Really? I at least took the time to point out the error in the post.
    Better than nothing.
    Exactly. You may want to repeat the above to yourself a couple of times
    the next time you feel like jumping down someone's throat because the
    content of their post doesn't fit with your idea of what exactly a
    perfect post would be.


    --
    Paul Adare
    "On two occasions, I have been asked [by members of Parliament],
    'Pray, Mr. Babbage, if you put into the machine wrong figures,
    will the right answers come out?' I am not able to rightly apprehend
    the kind of confusion of ideas that could provoke such a question."
    -- Charles Babbage (1791-1871)
     
    Paul Adare, Mar 23, 2005
    #9
  10. Backup

    S. Pidgorny Guest

    There can be many devices using same MAC address. That allows to bypass DHCP
    security, and in some cases 802.1x and proprietary switch port security
    solutions:

    http://sl.mvps.org/docs/802dot1x.htm
     
    S. Pidgorny, Mar 23, 2005
    #10
  11. Ok, you two,....somebody explain it. Flip a coin,..heads - Todd
    explains,...tails - Paul explains.

    --

    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com


     
    Phillip Windell, Mar 23, 2005
    #11
  12. Backup

    Todd J Heron Guest

    Phil, I'll take that question. Quoted description below followed by my
    summary, with a comment regarding DHCP, in deference to the OP's question.

    Quoted from:
    http://64.233.161.104/search?q=cach...per.pdf+802.1x+MAC+filtering&hl=en&lr=lang_en
    Original PDF location:
    http://www.foundrynet.com/solutions/appNotes/PDFs/802.1xWhite_Paper.pdf

    "Whilst technologies such as MAC filtering and Access Control Lists (ACLs)
    are used to enhance overall network security, the IEEE 802.1x specification
    provides another level of overall network protection:

    ..MAC filtering and ACLs assume that the administrator has an understanding
    of what devices and traffic that should be allowed within the network. While
    this can be achieved in limited scope, it is often too difficult to deploy
    on a large-scale infrastructure. Most often, ACLs are used in core / data
    center applications, and MAC filtering is deployed in potentially high-risk
    network edge connections. This unfortunately does not provide the
    comprehensive protection many network administrators are seeking.

    ..IEEE 802.1x is a new technology that provides almost unlimited scalability
    with minimal administration overhead. By authenticating user access at the
    network edge, network administrators can be assured that no unauthorized
    access will take place, and all of the user authentication can take place on
    a centralized authentication server."

    /end quote

    In summary, MAC filtering is a method by which an administrator configures
    an "allowed" list of devices (by MAC address) which are allowed on the
    network. This technology does not scale well and can be defeated if the
    user of the client machine knows the allowed MAC address. It is more
    administrative-intensive but less expensive to implement (at least on a
    small network). IEEE 802.1x port requires a successful authentication by the
    client machine accessing the network before any further traffic from the
    client is allowed to transmit over the network, to include DHCP requests.
    An "authenticator" located at the switch port and then sent to a RADIUS
    server for evaluation. The RADIUS server then makes a judgment about
    whether the client machine is allowed to authenticate. This technology
    scales much better than MAC filtering and is much more secure. It is less
    administrative-intensive but more expensive to implement.
     
    Todd J Heron, Mar 24, 2005
    #12
  13. Backup

    Ricardo Guest

    why no just use reservations?
     
    Ricardo, Mar 30, 2005
    #13
  14. Backup

    Chris Hills Guest

    The best way to lock down your network is to enforce 802.1x with either
    PEAP or EAP-TLS. Devices wishing to connect the network must present a
    certificate which is verified by an access server (IAS for example).

    Apparently, with HP Procurve switches, you can also configure a guest
    vlan, which devices will be attached to if they fail to negotiate 802.1x

    One benefit of going to the trouble of setting this up, is that you can
    use autoenrollment to distribute certificates to computers. In the case
    of laptops, they can use the same certificate for access to your
    wireless network(s).

    Regards
     
    Chris Hills, Apr 11, 2005
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.