Is there any sort of "Best Practices" paper for secure DHCP
implementation?
For example with a standard DHCP setup, what is to prevent someone from
sneaking into an empty office, jacking in an AirPort Express, and
sitting in
their car outside the building hacking away to their heart's content?
That
seems like something any script kiddie can pull off with minimal
effort.
If DHCP is just one big security risk, then what else is recommended?
We're
thinking of making our regular nodes all fixed IPs (but still NAT, of
course), and then opening up a small DHCP pool for guests. Hopefully
we can
then lock down that DHCP pool from having very much access to the
network or
even the internet.
You can use the Carnegie-Mellon University version of dhcpd which can
restrict handing out addresses to machines it knows about. That is,
you list the legit MAC addresses and it won't give an address to a MAC
address it isn't aware of. Also, you can hand out one set of addresses
to known machines, another set to unknown machines, and then use access
lists to restrict access to valuable servers.
Cisco Systems has a whole system that recognizes machines by MAC
addresses, assigning them to a particular VLAN or not allowing them on
the network at all.
We use the CMU version in certain locations to restrict access, though
of course, a savvy user can easily circumvent it.
John
---"The farther back you can look, the farther forward
you are likely to see" -- Winston Churchill
------------------------------------------------------------------------
I-II-XXXI-XXXII-Dotage, Beneteau 373-XXXII-XXXI-II-I
John P. Mundt Network Manager
Hawthorn District 73 email@hidden
Vernon Hills, IL 60061 847-990-4591
