On 2/22/05 2:04 PM, "Bill Larson" <email@hidden> wrote:
> DHCP isn't your security issue here, it is the ability for someone to
> come in and plug a computer, or wireless access point (AirPort) into
> your network without your authorization. Fix this before you worry
> about the security issues of DHCP.
That's the other component of what I was asking. What's a good way to do
this?
> If you are allowing a "small DHCP pool for guests", how will this be
> any different than a large pool? People can drown in a mud puddle as
> well as the Pacific Ocean.
In this case, I was positing that this pool could be restricted, perhaps by
isolating it on another subnet.
> How about only allowing only specific systems, identified by their MAC
> or Ethernet addresses to obtain an IP address from your DHCP server?
> This way, before someone can obtain an IP address from your server,
> they will have to talk to you.
In my experience, this is a huge administration headache, and still doesn't
resolve the issue you bring up of manual IP configuration. And IIRC,
spoofing a MAC address is not difficult (at least with WiFi... not so sure
about wired NICs).
> Or, if you are serious about security, many brands of network switches
> can be programmed to only allow a specific computer (identified by it's
> MAC/Ethernet address) to communicate on a particular port of the
> switch. This controls who can even communicate on the network better
> than worrying about handing out DHCP addresses. This is used to
> prevent users from moving their computer from one location on the
> network to another, such as between accounting and payroll, where the
> network is segmented among different functional groups. In certain
> situations this is a very important control mechanism.
This too sounds like an administrative nightmare, and would be
counterproductive to our current setup, where users regularly move between
different offices.
> If you are concerned about security, maybe you should consider moving
> some of your functions off of your MacOS X server and put them on
> dedicated hardware instead. MacOS X is very nice, but it isn't the
> "best" firewall, or "best" DHCP server, or "best" anything (except for
> AFP Server). If you are really concerned about the "best" part of
> "best practices" then do so, but MacOS X is only a component of this
> "best practices" and not a panacea for a well thought out operation.
I guess asking about "DHCP security" was misleading. I'm really asking about
restricting network access to allowed machines. DHCP seems to open up new
opportunities for exploits, but as you point out, closing DHCP wouldn't fix
everything.
When I first looked at "computer lists" in Workgroup Manager, I thought this
would allow me to only grant services to computers I've authorized. But
apparently, that's only AFP and such, not basic network services.
I'd love to know what steps folks are taking in cases where they can't be
100% certain of the physical security of their ports, but have to give a lot
of play to their users.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden
This email sent to email@hidden
