Re: DHCP and Security

[sebastion () IRELANDMAIL COM (Jeff Bachtel)]

Hmm, at the .edu I work for (which switched to DHCP about a year ago),
the DHCP server hands out to new MAC addresses a non-routable ip
address (such as 10.0.0.1 or whatever). There's a huge pool of those
addresses (probably with near-non-existent lease times), which are
absolutely useless, that is the only thing you can do with such a
source ip is connect to the DHCP server (which also acts as a web
server), and authenticate yourself (via ph). Ones you are
authenticated, the DHCP server "knows" your MAC address (actually, its
put into a SQL database) and will upon your next attempt to grab an
address, give you a valid, routable ip.

Most of the stuff is custom, but shouldn't take a competent coder more
than a few weeks to code and test out (assuming you already have some
sort of database [LDAP/SQL/etc] to auth against), and eliminates the
ability to deplete the pool of routable ip addresses.

jeff

On Thu, Feb 03, 2000 at 01:16:08PM -0500, Nitzenberger, Rob, MSgt, AF/XORR wrote:
> Need a policy read folks:
>
> The system I "manage" has 3200 users at various locations throughout the
> world, managed by a central NOC.  Our firewall permissions (protocol and
> port) are highly restrictive and report any unauthorized actions (ftp,
> pings, finger,.....).  The NOC gets a report from the firewall indicating
> which IP was the "offender".  If I the LAN clients are configured with
> static IP's, it's easy to attribute the offending action with a LAN client,
> but with DHCP (which is the method of choice for our sys admin types), it
> has proven difficult to "map" an IP address back to a specific user... lease
> times expire, inadequate event logging..etc.
>
>  How can I configure DHCP to balance the need for security with the wishes
> of the sys admin folks?  Any Ideas?
>
> Rob Nitzenberger
> thenitz () email com