Re: DHCP And Security
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 02/13/05
- Next message: Herb Martin: "Re: Is it possible to bridge three NIC on a Windows 2000 Server"
- Previous message: danieltan_at_time.net.my: "Netlogon service problem"
- In reply to: Gary: "Re: DHCP And Security"
- Next in thread: Gary: "Re: DHCP And Security"
- Reply: Gary: "Re: DHCP And Security"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 12 Feb 2005 20:54:50 -0600
Yeah. DHCP does not require any sort of computer authentication and largely
uses broadcasts. ISA 2004 is extremely powerful. Not all internet access has
to be user authenticated for ISA, you can specify that in each access rule.
You could for instance have a rule that allows access to mail servers or
protocols but requires user authentication for http/https. Give ISA 2004 a
try as you can try it for free for 120 days by downloading from Microsoft. I
recently posted my review of Tom Shinder's ISA 2004 at Amazon if you want to
read my thoughts on ISA 2004. --- Steve
"Gary" <cc@dd.com> wrote in message
news:420ea185$0$1998$afc38c87@news.optusnet.com.au...
> Was thinking of implementing ISA Server anyway for a new Exchange Setup
> and create a tighter reign on the VPN's, so this answers the question of
> how to lock out foreign computers. Problem is we have guests arrive now
> and again and need the net to check mail on their base servers. I suppose
> I could make a one time access in ISA Server to allow them in, but don't
> have to part of our domain. Can this be done?
>
> On DHCP, I gather this is on the same level as TCP/IP itself, where
> authentication requires a higher level of kit as found in only OS's.
> Netbios is a similar access pattern? Ipsec.....more
> overheads.......another day!
>
>
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:uJBe9rTEFHA.464@TK2MSFTNGP15.phx.gbl...
>> DHCP can not be used as a effective security mechanism. Using switches
>> that can manage access based on mac addresses can help and many have an
>> auto memorize feature that can make this a pretty easy process though
>> which will keep out the idle curious. More determined users can spoof mac
>> addresses and something like using 802.1X authentication for switches
>> would be much more secure though it requires compatible operating
>> systems, the use of a Certificate Server and an IAS server on the
>> network - all of which Windows 2000 can do. Other options would be to
>> implement ipsec policy on the domain requiring computers to
>> authentication with another computer before access is allowed. Ipsec is a
>> somewhat complex topic and should not be implemented without a good
>> understanding of it and testing. Blocking internet access is difficult
>> since all the computer needs is a default gateway. You would need
>> something like ISA server which is a proxy server and firewall that is
>> the default gateway for the network. ISA 2004 for instance can require
>> user authentication before allowing internet access. --- Steve
>>
>>
>> "Gary" <cc@dd.com> wrote in message
>> news:420d8b77$0$13527$afc38c87@news.optusnet.com.au...
>>> IF I have DHCP running on DC Server 2000 and the workstations TCP/IP
>>> properties are set to "Let IP address assigned automatically" as well as
>>> the DNS, will a foreign (not authorised on the Domain) computer having
>>> the same TCP/IP settings be denied access to IP Address on the LAN and
>>> then the Internet?
>>> Is there a way to assign IP Address to member computers of the domain
>>> only?
>>>
>>> TIA
>>>
>>
>>
>
>
- Next message: Herb Martin: "Re: Is it possible to bridge three NIC on a Windows 2000 Server"
- Previous message: danieltan_at_time.net.my: "Netlogon service problem"
- In reply to: Gary: "Re: DHCP And Security"
- Next in thread: Gary: "Re: DHCP And Security"
- Reply: Gary: "Re: DHCP And Security"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
