Security Basics mailing list archives
Re: Blocking Access to Non-domain computers
From: Faleh Daoud Abdel Monem <abdelmonem () webone-tunisie com>
Date: Fri, 03 Sep 2004 18:26:47 +0100
The DHCP protocol in it's design leaks of an auth mechanism as it work by broadcasting request since the client don't have an ip in the beginning of the process:
- The client broadcast a DHCPDISCOVER request.-The server broadcast a DHCPOFFER and temporary reserve the IPAddress that he has offered. -The client if it accept the offered IPAddress establish his configuration and respond to the offering server with broadcasting a DHCPREQUEST. -The server respond to the client with a DHCPACK. this is the first step in the DHCP protocol where broadcasting is not used.
As we can see it's mainly based on broadcasting also the client don't have an IPAddress to be able to authenticate it self against a domain server, So let focus on another way to limit access as ima not aware of any product that may provide the required functionality. First of all a free network plug in an uncontrolled area of your etablisment may result in a security breaches as it may result in a hard to guess passive sniffing of your network traffic. Blocking access with MAC Addresses can be a solution but this would result in an extensive administration tasks, also in MSwin2k DHCP server MAC Address is used for IP Address reservation for a specific host. Another available feature in MSwin2k is the /setclassid switch of the ipconfig cmd line tool you may set this on all your allowed hosts ipconfig /setclassid myclassid and configure the the address pool on your DHCP Server with to give a lease to machines with this classid, another little pool space (ex 10 IPAddresses) without any option (default gateway ..) to hosts that don't much the correct classid, you could also write a little script that ping this pool of addresses or monitor the leases on this pool when ever a host has got a lease in this pool that mean a possible breaking and you can investigate on. The problem here is that we are relaying on obscurity and the assumption that a possible breaker could not know about our setting. A better practice is to limit broadcasts in your network using VLANS you could separate your network in more organized areas witch maybe easily controlled and checked, Configure a DHCP relay agent in each area, and you have a better control on your network.
Hope this would help, I am interested in any possible solutions or suggestions about this thread.
Best Regards, Daoud. Steven A. Fletcher wrote:
That is the only option I can think of. If you think about it, how could you keep non-domain computers from getting an IP address? As far as I know, there is no provision in DHCP for such control. For the system to determine whether or not to give the machine an address, the machine would need to be able to communicate with the domain controllers, which would require an IP address for the communication to be able to happen. Steve Fletcher Senior Network Engineer, MCSE (NT4/Win2k), HP Master ASE, CCNA, Security+ Integrity Technology Solutions Phone: (309)664-8129 Toll Free: (888) 764-8100 ext. 129 Fax: (309) 662-6421 sfletcher () integrityts com -----Original Message-----From: Andreas [mailto:andreas () inferno nadir org] Sent: Monday, August 23, 2004 2:16 PMTo: security-basics () securityfocus com Subject: Re: Blocking Access to Non-domain computers Hello, On Thursday 19 August 2004 16:58, Brian Gehrke wrote:I am running a W2K domain, using DHCP. Is it possible to block non-domain computers from getting an IP address from the DHCP server,sothey will not be able to access the Internet through the network.is dhcp by mac address (which of course can easily be spoofed) an option?regards, andreas ------------------------------------------------------------------------ --- Computer Forensics Training at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse so that it never happens again. http://www.infosecinstitute.com/courses/computer_forensics_training.html ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Computer Forensics Training at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse so that it never happens again. http://www.infosecinstitute.com/courses/computer_forensics_training.html ----------------------------------------------------------------------------
--------------------------------------------------------------------------- Computer Forensics Training at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse so that it never happens again. http://www.infosecinstitute.com/courses/computer_forensics_training.html ----------------------------------------------------------------------------
Current thread:
- RE: Blocking Access to Non-domain computers Thomas TS (Aug 31)
- Re: Blocking Access to Non-domain computers Ansgar -59cobalt- Wiechers (Sep 02)
- Re: Blocking Access to Non-domain computers andreas (Sep 02)
- <Possible follow-ups>
- RE: Blocking Access to Non-domain computers Andrew Shore (Sep 02)
- Re: Blocking Access to Non-domain computers Faleh Daoud Abdel Monem (Sep 08)