My "wire" / not yours

My "wire" / not yours



I am looking for a way to secure DHCP. I have a network with all the
frills; DCHP, DNS, DOMAIN, Etc.



I know how to use DHCP to the point of settings address ranges etc.. What I
would like to do is make it so that machines that aren't know to me. Such as
users laptops and WiFi devices aren't allowed access to the network and
obtain an IP address unless I am notified and allow it.



Right now on the 2nd floor someone could just "jack" in and poof. they have
an IP.



Another thing I could do is this . I would set ISA to now allow network
access outside of the network (somehow) if they don't have a domain
user-id/password.



This being all said. Why would I want to even get an IP. If I don't know
you I don't know you . then again I don't know you why do I want you on my
wire!

>I am looking for a way to secure DHCP....What I would like to do is make it
>so that machines that aren't know to me. Such as users laptops and WiFi
>devices aren't allowed access to the network and obtain an IP address
>unless I am notified and allow it."


The options depend on your environment.

1) Avoid patching all network outlets, patch only the ones needed on a
case-by-case basis. Even if someone attaches network device to your outlet
it is not connected to anything. Only patch outlets that are in use.

Limitation: Only patching the required ports will not work if someone
simply unplugs a current computer and connect theirs instead.

2) If you have all Windows 2000 or above you could setup IPSec policy. If
setup correctly this will allow only computers that are in domain to
communicate among themselves and ignoring any other computer and device.

http://www.microsoft.com/technet/its...domisolwp.mspx

Limitation: This method is difficult to implement.

3) Another option would be IEEE 802.1x. This allows "port authentication"
(MAC-filtering). So any device that connects to network outlet must first
authenticate in e.g. AD before it can actually talk with other computers on
the network. This requires that you have switches that are IEEE 802.1x
compliant, AD 2003, IAS (RADIUS) and clients that are Windows 2000 SP4 or
newer.

Limitation: MAC-filtering can be defeated by someone who knows what they
are doing.

4) Set the MAC addresses of the machines which should get addresses into
DHCP with fixed reservations. Be aware however that a user with
adminsitrative access to a machine can configure a static IP address along
with other IP information onto the machine.

Limitation: When someone has administrative access to their machine, they
can simply enter a static IP address.

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT; CCA
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights.

In article <(E-Mail Removed)>, in the
microsoft.public.windows.server.security news group, Todd J Heron
<(E-Mail Removed)> says...

> 3) Another option would be IEEE 802.1x. This allows "port authentication"
> (MAC-filtering).
>

802.1x and MAC filtering have nothing at all to with one another.
Two totally and completely different technologies.

--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)

It is not impossible,...but for practical purposes you are almost just
wasting your time. The solution is not to prevent them from getting an IP#,
the solution is making sure that whatever IP# they get doesn't matter
anyway.

LAN Access is to be controlled by *who* the person is according to the
credentials they use and should *never* depend on what IP# they have or
don't have (although there are exceptions such as machines with static
IP#s).

This is obviously a weakness in many firewall products because they are
incapable of authenticating a user account.

DHCP is not a "secure" service. It is not meant to be run in a high
security situation. There are emerging technolgies to "quarentine" machines
and verify who/what they are before allowing them on the network. They are
not widespread, are very complex, and I have no exact examples to give.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Backup" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> My "wire" / not yours
>
>
>
> I am looking for a way to secure DHCP. I have a network with all the
> frills; DCHP, DNS, DOMAIN, Etc.
>
>
>
> I know how to use DHCP to the point of settings address ranges etc.. What
I
> would like to do is make it so that machines that aren't know to me. Such
as
> users laptops and WiFi devices aren't allowed access to the network and
> obtain an IP address unless I am notified and allow it.
>
>
>
> Right now on the 2nd floor someone could just "jack" in and poof. they
have
> an IP.
>
>
>
> Another thing I could do is this . I would set ISA to now allow network
> access outside of the network (somehow) if they don't have a domain
> user-id/password.
>
>
>
> This being all said. Why would I want to even get an IP. If I don't know
> you I don't know you . then again I don't know you why do I want you on my
> wire!
>
>

"Paul Adare" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...

>"802.1x and MAC filtering have nothing at all to with one another. Two
>totally and completely different technologies."

I see your point. So why don't you go ahead and explain yours instead of
leaving it hanging like that. For the benefit of the group.


--
Todd J Heron, MCSE
Windows Server 2003/2000/NT; CCA
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights.

In article <(E-Mail Removed)>, in the
microsoft.public.windows.server.security news group, Todd J Heron
<(E-Mail Removed)> says...

> "Paul Adare" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) om...
>
> >"802.1x and MAC filtering have nothing at all to with one another. Two
> >totally and completely different technologies."
>
> I see your point. So why don't you go ahead and explain yours instead of
> leaving it hanging like that. For the benefit of the group.

It actually isn't "my point", it is a technical fact. I was simply
pointing out the technical inaccuracy in your post.

If you now see "my point" why don't you take the time to explain why
your original post was technically inaccurate rather than leaving it
hanging like that? You know, for the benefit of the group.

--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)

Paul, this comes down to a simple bit of ettiquette.

You may as well have written "Your Wrong" without any qualification
whatsoever. If he had been completely wrong and did not know where and why,
your own answer leaves a lot to be desired as you have informed the group
you are now a self elected expert, that you DO know better, but that you are
not bothering to give any details.

You would be better off not posting at all with an attitude like that.

The best answers I see entail multiple people dotting each others i's and
crossing their t's in a complimentary fashion - everyone gets to learn. Not
everyone is an MVP or has time to always provide the most detailed answer,
or has time to research and include links to authoritative resources. Often
too, the most frequently correct answer is given as a solution to a problem.

Could you have contributed positively to the OP's question? You claim to be
able to, but did not. That failing is in your court and no one elses.

- Tim





"Paul Adare" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> In article <(E-Mail Removed)>, in the
> microsoft.public.windows.server.security news group, Todd J Heron
> <(E-Mail Removed)> says...
>
>> "Paul Adare" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed) om...
>>
>> >"802.1x and MAC filtering have nothing at all to with one another. Two
>> >totally and completely different technologies."
>>
>> I see your point. So why don't you go ahead and explain yours instead of
>> leaving it hanging like that. For the benefit of the group.
>
> It actually isn't "my point", it is a technical fact. I was simply
> pointing out the technical inaccuracy in your post.
>
> If you now see "my point" why don't you take the time to explain why
> your original post was technically inaccurate rather than leaving it
> hanging like that? You know, for the benefit of the group.
>
> --
> Paul Adare
> "On two occasions, I have been asked [by members of Parliament],
> 'Pray, Mr. Babbage, if you put into the machine wrong figures,
> will the right answers come out?' I am not able to rightly apprehend
> the kind of confusion of ideas that could provoke such a question."
> -- Charles Babbage (1791-1871)

In the end it comes down to this : some switches (probably all by now) allow
you to set the port to accept only one MAC address. You do not have to set
the MAC address that you want to enable. The switch will accept the first
one and refuse all others. We use this configuration to prevent users from
connecting hubs and switches or unauthorized computer. The problem with this
is that you will have to clear the port config when you want another
computer to connect to the port.

Sorry I do not know the protocol or the RFC but I know that Cisco 2900
series switches can do it.

"Backup" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> My "wire" / not yours
>
>
>
> I am looking for a way to secure DHCP. I have a network with all the
> frills; DCHP, DNS, DOMAIN, Etc.
>
>
>
> I know how to use DHCP to the point of settings address ranges etc.. What
I
> would like to do is make it so that machines that aren't know to me. Such
as
> users laptops and WiFi devices aren't allowed access to the network and
> obtain an IP address unless I am notified and allow it.
>
>
>
> Right now on the 2nd floor someone could just "jack" in and poof. they
have
> an IP.
>
>
>
> Another thing I could do is this . I would set ISA to now allow network
> access outside of the network (somehow) if they don't have a domain
> user-id/password.
>
>
>
> This being all said. Why would I want to even get an IP. If I don't know
> you I don't know you . then again I don't know you why do I want you on my
> wire!
>
>

In article <OH#(E-Mail Removed)>, in the
microsoft.public.windows.server.security news group, Tim <Tim@NoSpam>
says...

> You may as well have written "Your Wrong" without any qualification
> whatsoever. If he had been completely wrong and did not know where and why,
> your own answer leaves a lot to be desired as you have informed the group
> you are now a self elected expert, that you DO know better, but that you are
> not bothering to give any details.

Not true. My post indicated exactly what was wrong with Todd's post. A
couple of simple Google searches on 802.1x and MAC filtering would have
led to the specifics for anyone who cared to learn exactly why he was
totally wrong. As for why I didn't elaborate, well, you've answered that
question yourself now, haven't you?

>
> You would be better off not posting at all with an attitude like that.

Really? I at least took the time to point out the error in the post.
Better than nothing.

>
> Not
> everyone is an MVP or has time to always provide the most detailed answer,
> or has time to research and include links to authoritative resources.

Exactly. You may want to repeat the above to yourself a couple of times
the next time you feel like jumping down someone's throat because the
content of their post doesn't fit with your idea of what exactly a
perfect post would be.


--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)

There can be many devices using same MAC address. That allows to bypass DHCP
security, and in some cases 802.1x and proprietary switch port security
solutions:

http://sl.mvps.org/docs/802dot1x.htm

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

"Sylvie" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In the end it comes down to this : some switches (probably all by now)
allow
> you to set the port to accept only one MAC address. You do not have to set
> the MAC address that you want to enable. The switch will accept the first
> one and refuse all others. We use this configuration to prevent users from
> connecting hubs and switches or unauthorized computer. The problem with
this
> is that you will have to clear the port config when you want another
> computer to connect to the port.
>
> Sorry I do not know the protocol or the RFC but I know that Cisco 2900
> series switches can do it.
>