DHCP Security

[Guest]

Is there a way to secure DHCP shuch that a computer that is not part of this
domain cannot obtain an IP address. I had a situation over the week-end
where a user brought in his own laptop, plugged in, and surfed the internet
unfiltered and undetected. I found this out while reviewing DHCP assigned.
I guess I could do port security on those ports, but then I'd have to use
static IPs.

Andy

 

[Phillip Windell]

Putting DHCP and Security in the same sentence is almost an "oxymoron"

There are supposed to be some new technologies out that do some type of
authentication before a machine is given an IP# but I have no details on
it,... maybe someone else here will know about that. But generally speaking
the answer would be,..No.

In a very high security situation DHCP simply would not be used and all
machines would use static entries and changes to those settings would be
audited and monitored.

You could setup reservations in DHCP, but that would be very cumbersome to
manage and would kind of defeat the purpose of having DHCP,...it's be easier
at that point to just go with static entries.

 

[Leythos]

Is there a way to secure DHCP shuch that a computer that is not part of this
domain cannot obtain an IP address. I had a situation over the week-end
where a user brought in his own laptop, plugged in, and surfed the internet
unfiltered and undetected. I found this out while reviewing DHCP assigned.
I guess I could do port security on those ports, but then I'd have to use
static IPs.

The only simple way I know of is to use DHCP reservations - this means
that you reserve a IP for each device on the network and only have
enough IP in the scope for the reservations. If you look at the DHCP
assignments it should contain the IP and MAC so you have enough info to
configure the reservations.

If you do this, while not the best method, it means that your computers
are still getting a Dynamic IP, but it also means that there are no
unused IP for non-authorised users to access.

 

[Steven L Umbach]

The best way to do such would be with your switches if they have the
capability. Something like the HP Procurve 2524 [very affordable] can do
vlans, port isolation, port mac filtering, and 802.1X authentication. 801.1X
is by far the best way but requires the use of an IAS server, a Certificate
Authority, and compatible operating systems. Windows 2000/2003 server can do
both of these roles. Otherwise mac filtering will keep out all but the
malicious users. A network adapter card's mac address does not change when
it gets a new IP address. Most mac filtering switches have a "learning" mode
where they can learn the current mac addresses on the network to minimize
manual table building. I also suggest you create a strict computer use
policy with defined consequences [can we still do that these days] and have
the users sign a copy to put in their file for discipline for future events.
You are lucky that he did not have a worm on his computer. --- Steve

http://www.hp.com/rnd/products/switches/switch2524-2512/features.htm --
these sell for under $300 on Ebay all the time.