On 2/22/05 2:04 PM, "Bill Larson" <email@hidden> wrote:
DHCP isn't your security issue here, it is the ability for someone to
come in and plug a computer, or wireless access point (AirPort) into
your network without your authorization. Fix this before you worry
about the security issues of DHCP.
That's the other component of what I was asking. What's a good way to do
this?
Have Marines w guns guard your network. Block unknown MACs atthe
switches. But since you want "guests" just to be able to plug in
you've got some contradictions to resolve here.
> If you are allowing a "small DHCP pool for guests", how will this be
any different than a large pool? People can drown in a mud puddle as
well as the Pacific Ocean.
In this case, I was positing that this pool could be restricted, perhaps by
isolating it on another subnet.
Which helps how?
> How about only allowing only specific systems, identified by their MAC
or Ethernet addresses to obtain an IP address from your DHCP server?
This way, before someone can obtain an IP address from your server,
they will have to talk to you.
In my experience, this is a huge administration headache,
Yes, such is the burden of security.
and still doesn't
resolve the issue you bring up of manual IP configuration.
If they're blocked by MAC address they're blocked at Layer Two. Yeah,
they could spoof this too.
And IIRC,
spoofing a MAC address is not difficult (at least with WiFi... not so sure
about wired NICs).
WiFis don't have real MACs. But yes.
This too sounds like an administrative nightmare, and would be
counterproductive to our current setup, where users regularly move between
different offices.
Yes, better to just be wide open and insecure that to bring
administrative resources to a problem ;)
I guess asking about "DHCP security" was misleading. I'm really asking about
restricting network access to allowed machines.
This is what RADIUS, MAC filters, et al are all about.
Or better yet require VPNs and VPN/SSL for access.
DHCP seems to open up new
opportunities for exploits, but as you point out, closing DHCP wouldn't fix
everything.
Nothing new at all. They were implied from the start,.
I'd love to know what steps folks are taking in cases where they can't be
100% certain of the physical security of their ports, but have to give a lot
of play to their users.
Network security and OS X are cousin topics. Mostly what you asking
is off topic for here, but implied in basic network administration.
There's plenty of other lists and tins of books out there that cover
this. Asking an open ended question on this list is a over
encompassing.
--
-dhan
------------------------------------------------------------------------
Dan Shoop AIM: iWiring
Systems & Networks Architect http://www.iwiring.net/
email@hidden http://www.ustsvs.com/
iWiring designs and supports Internet systems and networks based on
Mac OS X, unix, and Open Source application technologies and offers
24x7, guaranteed support to registered clients, at affordable rates.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden
