Security Basics mailing list archives
RE: Preventing DHCP from allocating IPs
From: CTillett () harcourt com
Date: Thu, 5 Dec 2002 22:25:08 -0500
We are dealing with this right now. We are creating an "area" on each
floor that visitors can use. The ethernet ports in these areas will be
using a private vlan that provides IP connectivity and Internet access
only. These areas are ACL'ed off from our enterprise network. It is not
perfect, but since we have good physical security and all other ports on
the switch are disabled by default, it allows our vendors to use our
network as a transport service only. I hope this helps a little.
Chris Tillett
<wbjw@mindspri
ng.com> To: Rick Darsey <rdarsey () aims1 com>
Sent by: cc: jon kintner <jon.kintner () lvcm com>,
wbjw@mindsprin ssgill () gilltechnologies com,
g.com security-basics () securityfocus com
Subject: RE: Preventing DHCP from allocating IPs
12/05/2002
02:58 PM
Please respond
to wbjw
Turning off DHCP does not solve anything. If you have fixed IP addresses,
and
the port is open, it does not take much work for someone with physical
access
to figure out your addressing scheme and grab an IP address.
Use managed switches and turn off unused ports will help. However, DHCP or
fixed IP, if they have physical access and the will, they will get access
to
your resources.
On Tue, 3 Dec 2002 14:04:55 -0600 Rick Darsey <rdarsey () aims1 com> wrote:
I know this sounds like a really bad way of doing this, but it is the only way I can come up with off the top of my head: Turn of DHCP!! Statically assign all addresses in your LAN. If a visitor wants access to your network, they will have to come to you to obtain the address, or better yet, create a small DHCP pool that visitors can use, but limit the size to prevent users you do not want from accessing the network. The initial setup of the static addresses will take time, but the small DHCP pool will still allow visitors to plug in when needed. Rick -----Original Message----- From: jon kintner [mailto:jon.kintner () lvcm com] Sent: Monday, December 02, 2002 1:04 PM To: ssgill () gilltechnologies com; security-basics () securityfocus com Subject: Re: Preventing DHCP from allocating IPs I know mac addresses can be spoofed pretty easily, but could you setup an access list or filter that would disallow all mac addresses except for the ones specified on your network(s)? The initial setup would probably be tedious, but it's worked fairly well to keep most unauthorized logins off the network at the college I attend. -jon kintner ----- Original Message ----- From: "Sarbjit Singh Gill" To: Sent: Monday, December 02, 2002 7:22 AM Subject: Preventing DHCP from allocating IPsGreetings all, How do i prevent a client from getting an IPfrom my DHCP in an Ethernetnetwork. I know i could reserve IPs for allother clients and nobody gets anIP unless reserved earlier, but i havehundreds of clients. I frequentlyhave visitors who need to plug in theirlaptops into the network and i havevisitors who are not allowed to plug in theirlaptops into the network andget IPs. I do not want these visitors who arenot allowed to access thenetwork to get an IP and start accessinginternet through my network.What about in a wireless environment. How doi prevent it in a similarcapacity. Kind Regards Gill
Current thread:
- Re: Preventing DHCP from allocating IPs, (continued)
- Re: Preventing DHCP from allocating IPs Hasnain Atique (Dec 06)
- RE: Preventing DHCP from allocating IPs Sarbjit Singh Gill (Dec 06)
- Re: Preventing DHCP from allocating IPs Hasnain Atique (Dec 06)
- Re: Preventing DHCP from allocating IPs Tony Meman (Dec 09)
- Re: Preventing DHCP from allocating IPs jon kintner (Dec 09)
- Re: Preventing DHCP from allocating IPs Gene (Dec 11)
- Re: Preventing DHCP from allocating IPs Tony Meman (Dec 12)