RE: [ActiveDir] Secure DHCP

[Al Mulnick]

One way that might work for you is to create a quarantine network similar to what is used for VPN access.  To get connected a user has to meet certain criteria before being allowed on the trusted network (where a browse list could be used/modified etc).  Some criteria might be a successful authentication (that would be a little odd though if they were in a DMZ type network), valid certificate, etc.  This is more commonly used for wireless users from what I've seen, but it can be a similar process with desktops, laptops, etc.  This can also work with switching/network equipment but it's fairly new to the scene IIRC.   I want to say that companies like Cisco, Microsoft, IBM and so on are working on technologies to solve just that problem.  Had a nice airport conversation with an IBM rep talking about Cisco and Tivoli integration for similar functionality.    As for using DHCP as the authentication I've not heard of, nor can I think of a way to do that off the top of my head.  Lilke you said, the IP is required to even converse with any mechanism.    This would be a good thing to investigate, because even if you disable the jacks not in use, that won't be as effective in preventing rogue machines; they could just unplug a machine for example.  Won't help with wireless either I suspect.   Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Monday, May 16, 2005 10:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Secure DHCP I am wondering if there is any way to secure DHCP from assigning leases to PCs that are not authorized on the domain. I imagine that this is not possible since, in order to authenticate, a PC needs an IP address. The problem is that the other day we had a rogue PC plug into our network and, though probably coincidental, our browse list was messed up afterwards. So I have been tasked with finding out if there is a way to prevent unauthorized PCs from obtaining IP leases on our network (other than disabling all jacks not in use, which is what we will be doing). If not, does anyone have any suggestions on how to prevent the above situation in the future?   _________________________   Daniel DeStefano PC Support Specialist   IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300   www.iagr.net Measuring Ad Effectiveness on Television   The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail.