Re: Blocking Access to Non-domain computers

[Faleh Daoud Abdel Monem <abdelmonem () webone-tunisie com>]

The DHCP protocol in it's design leaks of an auth mechanism as it work 
by broadcasting request since the client don't have an ip in the 
beginning of the process:

   - The client broadcast a DHCPDISCOVER request.
   -The server broadcast a DHCPOFFER and temporary reserve the 
IPAddress that he has offered.
   -The client if it accept the offered IPAddress establish his 
configuration and respond to the offering server with broadcasting a 
DHCPREQUEST.
   -The server respond to the client with a DHCPACK. this is the first 
step in the DHCP protocol where broadcasting is not used.

As we can see it's mainly based on broadcasting also the client don't 
have an IPAddress to be able to authenticate it self against a domain 
server, So let focus on another way to limit access as ima not aware of 
any product that may provide the required functionality.
First of all a free network plug in an uncontrolled area of your 
etablisment may result in a security breaches as it may result in a hard 
to guess passive sniffing of your network traffic.
Blocking access with MAC Addresses can be a solution but this would 
result in an extensive administration tasks, also in MSwin2k DHCP server 
MAC Address is used for IP Address reservation for a specific host.
Another available feature in MSwin2k is the /setclassid switch of the 
ipconfig cmd line tool you may set this on all your allowed hosts 
ipconfig /setclassid myclassid and configure the the address pool on 
your DHCP Server with to give a lease to machines with this classid, 
another little pool space (ex 10 IPAddresses) without any option 
(default gateway ..) to hosts that don't much the correct classid, you 
could also write a little script that ping this pool of addresses or 
monitor the leases on this pool when ever  a host has got a lease in 
this pool that mean a possible breaking and you can investigate on. The 
problem here is that we are relaying on obscurity and the assumption 
that a possible breaker could not know about our setting.
A better practice is to limit broadcasts in your network using VLANS you 
could separate your network in more organized areas witch maybe easily 
controlled and checked, Configure a DHCP relay agent in each area, and 
you have a better control on your network.

Hope this would help, I am interested in any possible solutions or 
suggestions about this thread.

Best Regards, Daoud.
Steven A. Fletcher wrote:

> That is the only option I can think of.  If you think about it, how
> could you keep non-domain computers from getting an IP address?  As far
> as I know, there is no provision in DHCP for such control.  For the
> system to determine whether or not to give the machine an address, the
> machine would need to be able to communicate with the domain
> controllers, which would require an IP address for the communication to
> be able to happen.
>
> Steve Fletcher
> Senior Network Engineer, MCSE (NT4/Win2k), HP Master ASE, CCNA,
> Security+
> Integrity Technology Solutions
> Phone: (309)664-8129
> Toll Free: (888) 764-8100 ext. 129
> Fax: (309) 662-6421
> sfletcher () integrityts com
>
>
> -----Original Message-----
> From: Andreas [mailto:andreas () inferno nadir org] 
> Sent: Monday, August 23, 2004 2:16 PM
> To: security-basics () securityfocus com
> Subject: Re: Blocking Access to Non-domain computers
>
> Hello,
>
> On Thursday 19 August 2004 16:58, Brian Gehrke wrote:
>  
>
> > I am running a W2K domain, using DHCP.  Is it possible to block
> > non-domain computers from getting an IP address from the DHCP server,
> >    
> so
>  
>
> > they will not be able to access the Internet through the network.
> >    
>
> is dhcp by mac address (which of course can easily be spoofed) 
> an option?
>
> regards,
> andreas
>
> ------------------------------------------------------------------------
> ---
> Computer Forensics Training at the InfoSec Institute. All of our class
> sizes
> are guaranteed to be 12 students or less to facilitate one-on-one
> interaction with one of our expert instructors. Gain the in-demand
> skills of
> a certified computer examiner, learn to recover trace data left behind
> by
> fraud, theft, and cybercrime perpetrators. Discover the source of
> computer
> crime and abuse so that it never happens again.
>
> http://www.infosecinstitute.com/courses/computer_forensics_training.html
> ------------------------------------------------------------------------
> ----
>
>
>
> ---------------------------------------------------------------------------
> Computer Forensics Training at the InfoSec Institute. All of our class sizes
> are guaranteed to be 12 students or less to facilitate one-on-one
> interaction with one of our expert instructors. Gain the in-demand skills of
> a certified computer examiner, learn to recover trace data left behind by
> fraud, theft, and cybercrime perpetrators. Discover the source of computer
> crime and abuse so that it never happens again.
>
> http://www.infosecinstitute.com/courses/computer_forensics_training.html
> ----------------------------------------------------------------------------
>
>
>  


---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------