Actually I don't think it was as there's a security issue with 802.1x
wired connections.. (wireless no, wired there's an issue that Slav and
Steve Riley have discussed)
Let me get a post....
Dean Wells wrote:
Microsoft uses 802.1x auth. I believe ... as do many.
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Friday, February 03, 2006 8:42 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Getting better control over DHCP
Can't this be done with ...what is MS using? Is it Ipsec and smartcard
authentication?
You go to Redmond, stick in a rj45 and unless you have a lovely plastic
thingy with a chip you don't get access on corpnet.
joe wrote:
There is nothing you can do around a DHCP server that will really help
you as you point out. You simply need to plug into a port, enter any
IP address or let one of the 169 addresses kick in and turn on a
sniffer and you start seeing enough traffic to figure out where to
come up with a random IP address at. All the DHCP server is is a
helper, it doesn't give you network access, it helps you find it. This
type of thing needs to be controlled either at the network level where
the switches say, sorry you can't route packets anywhere but this
private secured network or you need to make all proper network traffic
secure with some kind of tunneling/vpn type tech. The later is quite
popular for companies with wireless, you get on the wireless network
and then have to VPN into the corporate network. That way anyone who
compromises the WAPs still doesn't get anything but a network and all
traffic from everyone properly on the network is encrypted. At best
the company may allow you to surf out to the internet, this is
especially good for companies who have visitors from other companies
dropping by their facilities or are in close vicinity to other
companies who may pick up their WAPs.
You really want to start looking into Network Quarantine//Network
Access Protection/etc. It is not a simple whip out in an hour
solution, it will take forethought and possibly upgrades of network
infrastructure and your machines to do it correctly. But with it you
can set specific policy on who gets to get on the real network and who
doesn't, this includes things like domain membership as well as what
software is installed on machines and virus definition levels or OS
fix levels, etc. You write the policy that the clients have to meet or
else they don't get anything but a dead network.
I would recommend going to google, typing in network quarantine and
hit enter. You will almost certainly see several hits on MS because
they have been spending a lot of time and energy the last 4 or so
years working on this stuff and getting all of the right hardware
people together to make a good solution. They had some preliminary
stuff done a couple of years ago that people were really interested in
but started redesigning some of it to make it more flexible/capable. I
expect most of what happens in this space will most likely fall out of
Cisco and Microsoft.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of *Edwin
*Sent:* Friday, February 03, 2006 7:55 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] Getting better control over DHCP
Assigning IP's based off of MAC addresses would be a huge headache!
Besides, just as you said the "network savvy" person can easily find
out the IP range if needed and assign them self an IP and spoof the
MAC if needed.
If something like this is possible, I would like to have a more
concrete solution.
But thank you very much for your reply.
Edwi
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of *Marc A.
Mapplebeck
*Sent:* Friday, February 03, 2006 7:38 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] Getting better control over DHCP
I'm not sure if it's the best way to do it, but you could set your
entire scope to be in one exclusion range, then assign static DHCP to
authorised MACs. After that, for added security, you could set a
second scope to give out leases outside your network range so that
unauth ppl will get a lease, but not be able to see anybody, only
downside to that would be that the network savvy user could look under
network settings and see what the IP of the DHCP server is and then
assign a static IP within that range. HTH - Marc
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of *Edwin
*Sent:* February 3, 2006 20:13
*To:* ActiveDir@mail.activedir.org
*Subject:* [ActiveDir] Getting better control over DHCP
Is it possible within a domain on an authorized DHCP server to
restrict what machines get a DHCP IP Address? For example, I want to
prevent someone from bringing in an unauthorized laptop and getting an
IP Address on the network. I want it to be so that if the machine is
not a part of the domain, it does not get any network connectivity
from the DHCP server.
Thanks,
Edwin
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/