also all of the Cisco switches that I have worked with and the ones
that I have now (1900,2900,3500,4000) have something called VMPS, which
as an administrator of the switch you can set a database of all of the
MAC addresses that the administrator would want to access the network,
and unless the MAC is on the database there is no way you could send a
single packet out of any port in the network, that is ofcourse if you
assigned a switch as a designated server to host all of the MACs, but
let me tell this is very painful if you go this route, and that is if
one or several NICs go bad well... you know the rest!!

Israel.

----- Original Message -----
From: "Ray Hooker" <Ray.Hookerattglobal.net>
Date: Friday, June 29, 2001 4:05 pm
Subject: Re: Secure DHCP...

> Another approach is the URT product from Cisco which requires user
> registration before being put in a standard VLAN. It can authenticate
> against a radius server.
>
> Ray
> ----- Original Message -----
> From: "paul Carcary" <PaulLacewood.co.uk>
> To: <focus-mssecurityfocus.com>
> Sent: Friday, June 29, 2001 5:16 AM
> Subject: RE: Secure DHCP...
>
>
> > Hi
> >
> > A far simpler way around this is an already mentioned use of Cisco
> switches.
> > You would only need one between the users and the DHCP server(s)
> >
> > The switch port security can be set once the network is running
> with PC's
> > on, you then "freeze" the MAC table in the switch and set it
> such that
> only
> > those addresses on those ports are allowed access (no access -
> no DHCP
> > server !). It can handle many concurrent addresses per port
> (hence 1
> (some)
> > central switches would suffice) additional MAC addresses can be
> added> manually or another "snapshot" can be taken if adding a
> number of new
> > PC/NICs. This will also stop a manual IP address being used,
> unless the
> > consultant also knows the mac address and port combination of a live
> system
> > (if the same mac address appears on 2 ports the switch will
> block the
> second
> > port anyway)
> >
> > Its a simple solution, it is a cheap solution
> > Its easier than manual addresse>
> > Regards
> >
> > Paul Carcary
> >
> > For unknown reasons, the powers that be have recently got an
> idea in their
> > heads that it's not appropriate for a machine to join a network
> and be
> able
> > to receive a DHCP address as normal - the idea that a consultant
> can come
> > into our network, plug in his laptop, and get a DHCP address
> bothers them,
> > and so they're asking if there's a way to make DHCP a secure
> protocol.>
> > The only answer I can think of would be a product that had a
> table of MACs
> > for each network, and would have to be manually maintained if
> users moved
> > from one network to another, or if new machines were introduced
> to a
> > network. Maybe something like whatever AT&T/TCI/Home did to
> their cable
> > modem networks, where it extends the DHCP lease offer on a
> condition of
> > understanding the machines workgroup/domain name would work, but
> I haven't
> > seen any software that does that. The first of the two ideas
> sounds like
> > even less fun than just assigning everyone static IP's, and the
> secondwould
> > be more acceptable and offer some additional security. Has
> anyone worked
> > with this?
> >
> > Thanks as always,
> >
> > Rob
> >
> >
>
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]