Re: How to prevent a client from obtaining an IP address
- From: Marc Holland <holland@xxxxxxxxxxx>
- Date: Thu, 08 Mar 2007 11:43:00 -0600
Kirrin, James, Phillip:
Thanks all for your helpful info. I did setup a dummy scope, though no longer need it, so I deactivated it. We had a machine in a building where there are no publicly accessible jacks that was infected with a worm, and I needed to identify the owner without our network manager here, who would have simply shunned the port in question until we resolved it. But we found it anyway, so didn't need the DHCP black hole.
We are planning on going 802.1X, but we don't have all of our switches at L3 yet. Anyway, most of our "public users" (students) use our wireless network, which does require authentication.
Thanks again,
-Marc
Phillip Windell wrote:
Except for 802.1x that James mentioned, you really need to consider the physical security of the building itself. A "stranger" should not be allowed to gain physical access to a wall jack that is DHCP endabled on that "wire"..
In our building there are no "free" wall jacks in the public part of the building. You can also make the public areas of the building Wireless using WEP, WPA, PEAP, (or whatever),...they can't get an IP# until they authenticate with the Wireless devices first and they can not do that if you don't give them to tools to do it. With a good WAP you can reduce the signal power so that it doesn't reach clear across the parking lot and down the street also. You do a Site Survey and make sure the signal reaches only as far as you want it to.
On the "wired side" our internet access and access to all LAN resources are carefully controlled by user account, not by IP#,...so an IP# does not give them "squat". Even Internet access is based on user accounts and the "path" out to the Internet does not even use the "Default Path" of the LAN so they can use their wildest imaginations for a Default Gateway and accomplish nothing.
In our conference room, the jack available to "guests" runs through an isolated "NAT Device" and goes right out into the public side of the system,...they are never "on the LAN". If they don't use the provided NAT Device, there is no DHCP on that "wire" so they can't get an address, and they wouldn't know what Public IP# to configure their laptop with, so they wouldn't get anywhere.
As far as them bringing in a virus,...we have virus protection out the "wazzoo" in half a dozen different ways. I'm not worried at all about that.
So in the end, having them "get an IP#" isn't that big a deal when you deal with the big picture and don't put all your "security eggs in one basket".
- References:
- DHCP: How to prevent a client from obtaining an IP address
- From: Marc Holland
- DHCP: How to prevent a client from obtaining an IP address
- Prev by Date: Re: Two Default Gateways
- Next by Date: RAS Routing not working...need advice
- Previous by thread: Re: DHCP: How to prevent a client from obtaining an IP address
- Next by thread: Re: Allowing NET USE commands on Windows 2003 Server TELNET Server
- Index(es):
Relevant Pages
|
Loading
