RE: Blocking Access to Non-domain computers

[Barrie Dempster <barrie () reboot-robot net>]

On Wed, 2004-08-25 at 21:46, Steven A. Fletcher wrote:
> Certainly!  There are a number of products that will do such a thing.
> Microsoft has had such things for a while now, even going back to the NT
> 4 days.  On NT, they had MS Proxy which has now become Microsoft
> Internet Security and Acceleration (ISA) Server.  There are other
> products, too, but that is one example.

This is a correct answer to Raoul's query, although this has nothing to
do with the OP's question. He is not interested in blocking Internet
access.
he wants to "block non-domain computers from getting an IP address from
the DHCP server"

There isn't really anyway to do this effectively that i can think of.
Most of the protocols involved in TCP/IP weren't designed for this sort
of access control, although you can enhance them with varying
technologies.

Your only option for restricting DHCP access is to use MAC address
filtering (which is trival to bypass) although if you combine this with
IPSEC, then even if a client does get an IP it will not be seen as _on_
the network by other clients and servers unless it can gain access to
the IPSEC layer. Windows has decent built in support for this, I suggest
having a look at it.

Raoul, if you are interested in options for blocking net access to
non-trusted machines, start a new thread and I'll endeavour to answer it
(would have done so here but it seemed you were just curious if your
assumption was correct, rather than looking for a definitive answer)

Regards
-- 
Barrie Dempster (zeedo) - Fortiter et Strenue

  http://www.bsrf.org.uk

[ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]

Attachment: signature.asc
Description: This is a digitally signed message part