[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DHCP Security

Subject: Re: DHCP Security
From: John Mundt <email@hidden>
Date: Tue, 22 Feb 2005 14:57:58 -0600
Delivered-to: email@hidden
Delivered-to: email@hidden


On Feb 22, 2005, at 14:12, nigel kersten wrote:

On 23/02/2005, at 6:28 AM, John Mundt wrote:
You can use the Carnegie-Mellon University version of dhcpd which can restrict handing out addresses to machines it knows about. That is, you list the legit MAC addresses and it won't give an address to a MAC address it isn't aware of. Also, you can hand out one set of addresses to known machines, another set to unknown machines, and then use access lists to restrict access to valuable servers.

Cisco Systems has a whole system that recognizes machines by MAC addresses, assigning them to a particular VLAN or not allowing them on the network at all.

We use the CMU version in certain locations to restrict access, though of course, a savvy user can easily circumvent it.
The ISC version of dhcpd can also be configured this way.
I was under the impression you could also do this with the OS X Server dhcpd? set up machines entries and configure it to not hand out to unknown addresses?
We have ISC configured like this:
* hand out fixed addresses for permanent machines via MAC address. * small dynamic pool, that can only be used by 'guests' that we've entered their MAC address into the DHCPD config.

I've got a web interface I put together which lets computing staff add machines to either of these pools, along with associated DNS entries.

I've also been considering implementing arpwatch to stop people unplugging a machine and manually entering the same IP details in for their own untrusted computer. Haven't had time to do this as yet though.

You're right. The CMU version is an offshoot of the ISC version which I didn't use for some reason I've forgotten. It didn't support something I needed but the CMU version did. I hand out dynamic addresses in most cases, but I can distinguish between "known" and "unknown" MAC addresses on any VLAN a person might connect to as they walk around the campuses. Then, for the "unknown" users, I can either give them no IP number at all, or one in a range that my routing ACLs can prevent from getting to protected servers.

Anyone smart enough to copy their IP number from a known machine to use on their own machine will get away with it. But I'm a K-8 school district with no great secrets to protect and no really vindictive kids yet. They have to make it to high school to do that sort of thing. And as far as your arpwatch, if they are smart enough to fake an IP, they can fake a MAC address.

John
---"The farther back you can look, the farther forward
     you are likely to see"   --  Winston Churchill
------------------------------------------------------------------------
I-II-XXXI-XXXII-Dotage, Beneteau 373-XXXII-XXXI-II-I
John P. Mundt                                      Network Manager
Hawthorn District 73               email@hidden
Vernon Hills, IL 60061                               847-990-4591

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden

This email sent to email@hidden

References:
	>DHCP Security (From: Ed Pastore <email@hidden>)
	>Re: DHCP Security (From: John Mundt <email@hidden>)
	>Re: DHCP Security (From: nigel kersten <email@hidden>)

Prev by Date: Re: Password rules not enforced
Next by Date: Migrate from Panther server to other?
Previous by thread: Re: DHCP Security
Next by thread: Re: DHCP Security
Index(es):
- Date
- Thread

Home