Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: prohibiting visitors from connecting to network

From: "Alexander Suhovey" <asuhovey () mtu-net ru>
Date: Thu, 20 Oct 2005 23:00:45 +0400
What I'm looking for is a way to secure DHCP so that only our 
laptops/workstations can get a DHCP address. 
I was thinking of something like EAP used for remote access 
with certificates to keep computers without a certificate 
from receiving an IP address, but I can find any information 
on implementing this.


For this you could try to implement DHCP Class ID as described in following
article:
http://techrepublic.com.com/5100-1035_11-5498436.html#

This solution is quite simple but it has it's limitations. Obviously it will
not prevent a knowledgeable user from configuring static IP for laptop and
connecting to your network without talking to your DHCP. Or as another path
(s)he could figure out class id from one of corporate computers if (s)he has
physical access to one of them or possibly by sniffing network traffic for
DHCP broadcast messages.

You could have much better protection by using products like Cisco's Network
Admission Control (NAC) [1] but this will require much more investments.

[1] Cisco NAC. The Development of the Self-Defending Network 
http://www.cisco.com/warp/public/cc/so/neso/sqso/csdni_wp.htm

--
Al
Previous By Date Next
Previous By Thread Next

Current thread: