Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DHCP Security

At 12:30 PM -0500 2/22/05, Ed Pastore wrote:
Is there any sort of "Best Practices" paper for secure DHCP implementation?

DHCP, like bootp, tftp, and their ilk are implied to be insecure. That's why they only really run on LANs.

For example with a standard DHCP setup, what is to prevent someone from
sneaking into an empty office, jacking in an AirPort Express, and sitting in
their car outside the building hacking away to their heart's content?


This isn't an DHCP issue per se.

But to answer it you should be securing your WLANs justr like you secure access to your physical LANs.

That
seems like something any script kiddie can pull off with minimal effort.


Well a non-broadcast SSID and WEP is a start. Then add to that blocking by MAC.

If DHCP is just one big security risk, then what else is recommended? 

Define what you're trying to achieve here.

 We're
thinking of making our regular nodes all fixed IPs (but still NAT, of
course), and then opening up a small DHCP pool for guests.


Guest imply insecurity.

 Hopefully we can
then lock down that DHCP pool from having very much access to the network or
even the internet.

Has anyone done anything like this? 

No, you're alone ;)

Is there a walkthrough the issues
involved and the steps necessary under OS X Server? Would that pool need a
different subnet or even a different gateway?

The canonical answer here is ask your Network Security Administrator, but I'll guess you drew that short straw too. In which case you have either a lot of reading to do or should find some outside ppl to augment your staff.

First, define a policy for access. It should already be part of your overall security policy.
--


-dhan

------------------------------------------------------------------------
Dan Shoop                                                   AIM: iWiring
Systems & Networks Architect                     http://www.iwiring.net/
email@hidden                                 http://www.ustsvs.com/

pgp key fingerprint: FAC0 9434 B5A5 24A8 D0AF  12B1 7840 3BE7 3736 DE0B

iWiring designs and supports Internet systems and networks based on
Mac OS X, unix, and Open Source application technologies and offers
24x7, guaranteed support to registered clients, at affordable rates.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden

This email sent to email@hidden
References: 
 >DHCP Security (From: Ed Pastore <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.