RE: [ActiveDir] Getting better control over DHCP
Good point Dean - Yes, we use 802.1x for wireless access, and IPSec once the clients are on the network for host level access. I read the thread as using 802.1x for accessing the wired networks, which I know several companies do. Microsoft does not use it for wired, for that we rely on IPSec and, in the future, NAP. ~Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Saturday, February 04, 2006 9:34 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Getting better control over DHCP Nod, thanks for the confirmation ... I stand corrected Susan. Out of interested Brian, what do you use for wireless? I'm certain it required a cert. that I couldn't obtain since that in turn required domain membership? As to the original question, 802.1x remains a viable solution. I've not seen IPsec implemented to secure initial address leases though I can envisage ways in which that could be achieved. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Puhl Sent: Saturday, February 04, 2006 12:01 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Getting better control over DHCP At Microsoft we do not use 802.1x, so if you were to walk up to a port on our corporate network and plug in, you would get an IP and have access to some things. What we do instead is domain isolation via IPSec, which means that machines which are not joined to an MSIT managed domain (basically, our production forests) cannot establish connections with machines that are in our domains. Rather than deploying 802.1x, we are in the process of implementing Network Access Protection, which is a Longhorn/Vista feature. Basically when a machine connects to the network it is quarantined and must pass a health check (think patches, AV, and any other config we want to mandate) before they are released from quarantine. We haven't deployed this widely, it's still in an engineering phase, however this is the direction we're taking our network controls. The connect to the network using plastic thingy with chip would be our VPN solution, which we implemented. Effectively it's NAP as described above, but requires smartcards (plastic thingys) for authentication and the VPN client performs the health check. Brian Puhl Microsoft IT -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, February 03, 2006 7:19 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Getting better control over DHCP Microsoft uses 802.1x auth. I believe ... as do many. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, February 03, 2006 8:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Getting better control over DHCP Can't this be done with ...what is MS using? Is it Ipsec and smartcard authentication? You go to Redmond, stick in a rj45 and unless you have a lovely plastic thingy with a chip you don't get access on corpnet. joe wrote: There is nothing you can do around a DHCP server that will really help you as you point out. You simply need to plug into a port, enter any IP address or let one of the 169 addresses kick in and turn on a sniffer and you start seeing enough traffic to figure out where to come up with a random IP address at. All the DHCP server is is a helper, it doesn't give you network access, it helps you find it. This type of thing needs to be controlled either at the network level where the switches say, sorry you can't route packets anywhere but this private secured network or you need to make all proper network traffic secure with some kind of tunneling/vpn type tech. The later is quite popular for companies with wireless, you get on the wireless network and then have to VPN into the corporate network. That way anyone who compromises the WAPs still doesn't get anything but a network and all traffic from everyone properly on the network is encrypted. At best the company may allow you to surf out to the internet, this is especially good for companies who have visitors from other companies dropping by their facilities or are in close vicinity to other companies who may pick up their WAPs. You really want to start looking into Network Quarantine//Network Access Protection/etc. It is not a simple whip out in an hour solution, it will take forethought and possibly upgrades of network infrastructure and your machines to do it correctly. But with it you can set specific policy on who gets to get on the real network and who doesn't, this includes things like domain membership as well as what software is installed on machines and virus definition levels
Re: [ActiveDir] Getting better control over DHCP
Slav Pigo... I'm going to massacre his name so I won't even say it (and you think Dr. J's name is bad you haven't seen Slav's last name) Slav pointed out a weakness in 802.1x wired deployments that can leave that network open for attacks. Thus the recommendation is to carefully review wired deployments of 802.1x. Wireless it does not have this weakness. Brian Puhl wrote: Good point Dean - Yes, we use 802.1x for wireless access, and IPSec once the clients are on the network for host level access. I read the thread as using 802.1x for accessing the wired networks, which I know several companies do. Microsoft does not use it for wired, for that we rely on IPSec and, in the future, NAP. ~Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Saturday, February 04, 2006 9:34 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Getting better control over DHCP Nod, thanks for the confirmation ... I stand corrected Susan. Out of interested Brian, what do you use for wireless? I'm certain it required a cert. that I couldn't obtain since that in turn required domain membership? As to the original question, 802.1x remains a viable solution. I've not seen IPsec implemented to secure initial address leases though I can envisage ways in which that could be achieved. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Puhl Sent: Saturday, February 04, 2006 12:01 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Getting better control over DHCP At Microsoft we do not use 802.1x, so if you were to walk up to a port on our corporate network and plug in, you would get an IP and have access to some things. What we do instead is domain isolation via IPSec, which means that machines which are not joined to an MSIT managed domain (basically, our production forests) cannot establish connections with machines that are in our domains. Rather than deploying 802.1x, we are in the process of implementing Network Access Protection, which is a Longhorn/Vista feature. Basically when a machine connects to the network it is quarantined and must pass a health check (think patches, AV, and any other config we want to mandate) before they are released from quarantine. We haven't deployed this widely, it's still in an engineering phase, however this is the direction we're taking our network controls. The connect to the network using plastic thingy with chip would be our VPN solution, which we implemented. Effectively it's NAP as described above, but requires smartcards (plastic thingys) for authentication and the VPN client performs the health check. Brian Puhl Microsoft IT -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, February 03, 2006 7:19 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Getting better control over DHCP Microsoft uses 802.1x auth. I believe ... as do many. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, February 03, 2006 8:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Getting better control over DHCP Can't this be done with ...what is MS using? Is it Ipsec and smartcard authentication? You go to Redmond, stick in a rj45 and unless you have a lovely plastic thingy with a chip you don't get access on corpnet. joe wrote: There is nothing you can do around a DHCP server that will really help you as you point out. You simply need to plug into a port, enter any IP address or let one of the 169 addresses kick in and turn on a sniffer and you start seeing enough traffic to figure out where to come up with a random IP address at. All the DHCP server is is a helper, it doesn't give you network access, it helps you find it. This type of thing needs to be controlled either at the network level where the switches say, sorry you can't route packets anywhere but this private secured network or you need to make all proper network traffic secure with some kind of tunneling/vpn type tech. The later is quite popular for companies with wireless, you get on the wireless network and then have to VPN into the corporate network. That way anyone who compromises the WAPs still doesn't get anything but a network and all traffic from everyone properly on the network is encrypted. At best the company may allow you to surf out to the internet, this is especially good for companies who have visitors from other companies dropping by their facilities or are in close vicinity to other companies who may pick up their WAPs. You really want to start looking into Network Quarantine//Network Access Protection/etc. It is not a simple
RE: [ActiveDir] Getting better control over DHCP
Nod, thanks for the confirmation ... I stand corrected Susan. Out of interested Brian, what do you use for wireless? I'm certain it required a cert. that I couldn't obtain since that in turn required domain membership? As to the original question, 802.1x remains a viable solution. I've not seen IPsec implemented to secure initial address leases though I can envisage ways in which that could be achieved. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Puhl Sent: Saturday, February 04, 2006 12:01 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Getting better control over DHCP At Microsoft we do not use 802.1x, so if you were to walk up to a port on our corporate network and plug in, you would get an IP and have access to some things. What we do instead is domain isolation via IPSec, which means that machines which are not joined to an MSIT managed domain (basically, our production forests) cannot establish connections with machines that are in our domains. Rather than deploying 802.1x, we are in the process of implementing Network Access Protection, which is a Longhorn/Vista feature. Basically when a machine connects to the network it is quarantined and must pass a health check (think patches, AV, and any other config we want to mandate) before they are released from quarantine. We haven't deployed this widely, it's still in an engineering phase, however this is the direction we're taking our network controls. The connect to the network using plastic thingy with chip would be our VPN solution, which we implemented. Effectively it's NAP as described above, but requires smartcards (plastic thingys) for authentication and the VPN client performs the health check. Brian Puhl Microsoft IT -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, February 03, 2006 7:19 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Getting better control over DHCP Microsoft uses 802.1x auth. I believe ... as do many. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, February 03, 2006 8:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Getting better control over DHCP Can't this be done with ...what is MS using? Is it Ipsec and smartcard authentication? You go to Redmond, stick in a rj45 and unless you have a lovely plastic thingy with a chip you don't get access on corpnet. joe wrote: There is nothing you can do around a DHCP server that will really help you as you point out. You simply need to plug into a port, enter any IP address or let one of the 169 addresses kick in and turn on a sniffer and you start seeing enough traffic to figure out where to come up with a random IP address at. All the DHCP server is is a helper, it doesn't give you network access, it helps you find it. This type of thing needs to be controlled either at the network level where the switches say, sorry you can't route packets anywhere but this private secured network or you need to make all proper network traffic secure with some kind of tunneling/vpn type tech. The later is quite popular for companies with wireless, you get on the wireless network and then have to VPN into the corporate network. That way anyone who compromises the WAPs still doesn't get anything but a network and all traffic from everyone properly on the network is encrypted. At best the company may allow you to surf out to the internet, this is especially good for companies who have visitors from other companies dropping by their facilities or are in close vicinity to other companies who may pick up their WAPs. You really want to start looking into Network Quarantine//Network Access Protection/etc. It is not a simple whip out in an hour solution, it will take forethought and possibly upgrades of network infrastructure and your machines to do it correctly. But with it you can set specific policy on who gets to get on the real network and who doesn't, this includes things like domain membership as well as what software is installed on machines and virus definition levels or OS fix levels, etc. You write the policy that the clients have to meet or else they don't get anything but a dead network. I would recommend going to google, typing in network quarantine and hit enter. You will almost certainly see several hits on MS because they have been spending a lot of time and energy the last 4 or so years working on this stuff and getting all of the right hardware people together to make a good solution. They had some preliminary stuff done a couple of years ago that people were really interested
Re: [ActiveDir] Getting better control over DHCP
Edwin, I'm sure you've noticed by now but joe and Brian (both) have given you a really good idea of what you need to do to solve this. As indicated, to achieve your goal of preventing any unauthorized access to the network, you'd pretty much have to have control at the phys layer. By that I mean you'd have to control who/what can gain access there. I think you'll want to plan (as joe suggests) because issues such as temporary access i.e. a vendor is working on site for 2 weeks and requires limited access to the internet for the job function, or somebody needs to roam to another site where they don't have access. You also need something that's as automated as you can get it because you certainly can't scale a solution that requires knowing something like a MAC; ask any firewall admin that has had to do that :) Even if you did know the MAC, that's not enough to secure your network IMHO. The NAP idea coupled with some ideas around multiple networks would likely get you much closer to solving your problem(s). I don't view a solution that requires a new OS os special software to be a solution however. Too many variables that need to work i.e. linux laptops, old-ish clients (XP is getting long in tooth and many haven't even upgraded to that yet!) Nope, to me it needs to be isolated from the OS that wants access and not require specialized client software. It should include authenticated access and a method to allow access long enough to become authenticated. My $0.04 worth, as if you needed it. Al On 2/4/06, Brian Puhl [EMAIL PROTECTED] wrote: At Microsoft we do not use 802.1x, so if you were to walk up to a port onour corporate network and plug in, you would get an IP and have access to some things.What we do instead is domain isolation via IPSec, which means thatmachines which are not joined to an MSIT managed domain (basically, ourproduction forests) cannot establish connections with machines that are in our domains.Rather than deploying 802.1x, we are in the process of implementing NetworkAccess Protection, which is a Longhorn/Vista feature.Basically when amachine connects to the network it is quarantined and must pass a health check (think patches, AV, and any other config we want to mandate) beforethey are released from quarantine.We haven't deployed this widely, it'sstill in an engineering phase, however this is the direction we're taking our network controls.The connect to the network using plastic thingy with chip would be our VPNsolution, which we implemented.Effectively it's NAP as described above,but requires smartcards (plastic thingys) for authentication and the VPN client performs the health check.Brian PuhlMicrosoft IT-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Dean WellsSent: Friday, February 03, 2006 7:19 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] Getting better control over DHCP Microsoft uses 802.1x auth. I believe ... as do many.--Dean WellsMSEtechnology* Email: [EMAIL PROTECTED] http://msetechnology.com-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPAaka Ebitz - SBS Rocks [MVP]Sent: Friday, February 03, 2006 8:42 PMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Getting better control over DHCPCan't this be done with ...what is MS using? Is it Ipsec and smartcardauthentication?You go to Redmond, stick in a rj45 and unless you have a lovely plastic thingy with a chip you don't get access on corpnet.joe wrote: There is nothing you can do around a DHCP server that will really help you as you point out. You simply need to plug into a port, enter any IP address or let one of the 169 addresses kick in and turn on a sniffer and you start seeing enough traffic to figure out where to come up with a random IP address at. All the DHCP server is is a helper, it doesn't give you network access, it helps you find it. This type of thing needs to be controlled either at the network level where the switches say, sorry you can't route packets anywhere but this private secured network or you need to make all proper network traffic secure with some kind of tunneling/vpn type tech. The later is quite popular for companies with wireless, you get on the wireless network and then have to VPN into the corporate network. That way anyone who compromises the WAPs still doesn't get anything but a network and all traffic from everyone properly on the network is encrypted. At best the company may allow you to surf out to the internet, this is especially good for companies who have visitors from other companies dropping by their facilities or are in close vicinity to other companies who may pick up their WAPs. You really want to start looking into Network Quarantine//Network Access Protection/etc. It is not a simple whip out in an hour solution, it will take forethought and possibly upgrades of network infrastructure and your machines to do it correctly. But with it you can set
RE: [ActiveDir] Getting better control over DHCP
As somebody earlier mentioned, Cisco has the Port Security option on their switches, if you happen to be running a Cisco network. Once a device is plugged in, only that device can use the port. Unplug it and plug something else in and the port shuts down. In the same vein, Cisco has Network Access Control (NAC) for doing the antivirus checks, patch checks, etc. Your laptop doesnt meet certain criteria, it isnt allowed on the network. Al -Original Message- From: Al Mulnick [mailto:[EMAIL PROTECTED] Sent: Saturday, February 04, 2006 6:38 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Getting better control over DHCP Edwin, I'm sure you've noticed by now but joe and Brian (both) have given you a really good idea of what you need to do to solve this. As indicated, to achieve your goal of preventing any unauthorized access to the network, you'd pretty much have to have control at the phys layer. By that I mean you'd have to control who/what can gain access there. I think you'll want to plan (as joe suggests) because issues such as temporary access i.e. a vendor is working on site for 2 weeks and requires limited access to the internet for the job function, or somebody needs to roam to another site where they don't have access. You also need something that's as automated as you can get it because you certainly can't scale a solution that requires knowing something like a MAC; ask any firewall admin that has had to do that :) Even if you did know the MAC, that's not enough to secure your network IMHO. The NAP idea coupled with some ideas around multiple networks would likely get you much closer to solving your problem(s). I don't view a solution that requires a new OS os special software to be a solution however. Too many variables that need to work i.e. linux laptops, old-ish clients (XP is getting long in tooth and many haven't even upgraded to that yet!) Nope, to me it needs to be isolated from the OS that wants access and not require specialized client software. It should include authenticated access and a method to allow access long enough to become authenticated. My $0.04 worth, as if you needed it. Al On 2/4/06, Brian Puhl [EMAIL PROTECTED] wrote: At Microsoft we do not use 802.1x, so if you were to walk up to a port on our corporate network and plug in, you would get an IP and have access to some things. What we do instead is domain isolation via IPSec, which means that machines which are not joined to an MSIT managed domain (basically, our production forests) cannot establish connections with machines that are in our domains. Rather than deploying 802.1x, we are in the process of implementing Network Access Protection, which is a Longhorn/Vista feature.Basically when a machine connects to the network it is quarantined and must pass a health check (think patches, AV, and any other config we want to mandate) before they are released from quarantine.We haven't deployed this widely, it's still in an engineering phase, however this is the direction we're taking our network controls. The connect to the network using plastic thingy with chip would be our VPN solution, which we implemented.Effectively it's NAP as described above, but requires smartcards (plastic thingys) for authentication and the VPN client performs the health check. Brian Puhl Microsoft IT -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Dean Wells Sent: Friday, February 03, 2006 7:19 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Getting better control over DHCP Microsoft uses 802.1x auth. I believe ... as do many. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, February 03, 2006 8:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Getting better control over DHCP Can't this be done with ...what is MS using? Is it Ipsec and smartcard authentication? You go to Redmond, stick in a rj45 and unless you have a lovely plastic thingy with a chip you don't get access on corpnet. joe wrote: There is nothing you can do around a DHCP server that will really help you as you point out. You simply need to plug into a port, enter any IP address or let one of the 169 addresses kick in and turn on a sniffer and you start seeing enough traffic to figure out where to come up with a random IP address at. All the DHCP server is is a helper, it doesn't give you network access, it helps you find it. This type of thing needs to be controlled either at the network level where the switches say, sorry you can't route packets anywhere but this private secured network or you need to make all proper network traffic secure with some kind of tunneling/vpn type tech. The later is quite
RE: [ActiveDir] Getting better control over DHCP
I like two approaches: 802.1x+NAP or generalize VPN (with NAP), especially for companies who frequently have guests in their network. NAP as implemented today in VPN is not about security, it's about health checking. Somebody who want's to get into the network would be able to do so if he's familiar with NAP. I haven't tested NAP in LH yet - maybe it changed. But the current implementation for VPN only requires to run a command with a password which is clear-text in the check-health-script. As soon as you run that command you'll be switched from Quarantine to production. 802.1x-Authentication works for wired and wireless networks and requires client side certificates, so that's a good approach to protect your network. What I mean with generalize VPN (with NAP) is that I also like to approach to put the whole network on the internet, have a firewall between clients and servers, and require a VPN (with NAP) to tunnel to the servers. VPN has different stages of security, and I believe the smartcard-based VPN MS uses is very secure. I really like that solution because it's corporate guests friendly - whoever you are expecting for a meeting or presentation can have network access and VPN into his own company if needed, and your employees are also able to gain access and VPN into their company. Gruesse - Sincerely, Ulf B. Simon-Weidner P.S.: Not directed to you Brian, but to the others. This post just fits here after yours ;-) |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Brian Puhl |Sent: Saturday, February 04, 2006 6:01 AM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Getting better control over DHCP | |At Microsoft we do not use 802.1x, so if you were to walk up |to a port on our corporate network and plug in, you would get |an IP and have access to some things. | |What we do instead is domain isolation via IPSec, which |means that machines which are not joined to an MSIT managed |domain (basically, our production forests) cannot establish |connections with machines that are in our domains. | |Rather than deploying 802.1x, we are in the process of |implementing Network Access Protection, which is a |Longhorn/Vista feature. Basically when a machine connects to |the network it is quarantined and must pass a health check |(think patches, AV, and any other config we want to mandate) |before they are released from quarantine. We haven't deployed |this widely, it's still in an engineering phase, however this |is the direction we're taking our network controls. | |The connect to the network using plastic thingy with chip |would be our VPN solution, which we implemented. Effectively |it's NAP as described above, but requires smartcards (plastic |thingys) for authentication and the VPN client performs the |health check. | |Brian Puhl |Microsoft IT | | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells |Sent: Friday, February 03, 2006 7:19 PM |To: Send - AD mailing list |Subject: RE: [ActiveDir] Getting better control over DHCP | | |Microsoft uses 802.1x auth. I believe ... as do many. | |-- |Dean Wells |MSEtechnology |* Email: [EMAIL PROTECTED] |http://msetechnology.com | | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Susan |Bradley, CPA aka Ebitz - SBS Rocks [MVP] |Sent: Friday, February 03, 2006 8:42 PM |To: ActiveDir@mail.activedir.org |Subject: Re: [ActiveDir] Getting better control over DHCP | |Can't this be done with ...what is MS using? Is it Ipsec and |smartcard authentication? | |You go to Redmond, stick in a rj45 and unless you have a |lovely plastic thingy with a chip you don't get access on corpnet. | | | |joe wrote: | | There is nothing you can do around a DHCP server that will |really help | you as you point out. You simply need to plug into a port, enter any | IP address or let one of the 169 addresses kick in and turn on a | sniffer and you start seeing enough traffic to figure out where to | come up with a random IP address at. All the DHCP server is is a | helper, it doesn't give you network access, it helps you |find it. This | type of thing needs to be controlled either at the network |level where | the switches say, sorry you can't route packets anywhere but this | private secured network or you need to make all proper |network traffic | secure with some kind of tunneling/vpn type tech. The later is quite | popular for companies with wireless, you get on the wireless network | and then have to VPN into the corporate network. That way anyone who | compromises the WAPs still doesn't get anything but a |network and all | traffic from everyone properly on the network is encrypted. At best | the company may allow you to surf out to the internet, this is | especially good for companies who have visitors from other companies | dropping by their facilities or are in close vicinity to other
RE: [ActiveDir] Getting better control over DHCP
Thanks everyone for your replies. I can see that I have a lot of discussion to look forward to with the network engineers. I definitely have enough information to get me started in making a good decision. If only Longhorn and Vista were released already then it would seem as though my question could be more easily answered. Thank you again everyone. Edwin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett Sent: Saturday, February 04, 2006 9:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Getting better control over DHCP As somebody earlier mentioned, Cisco has the Port Security option on their switches, if you happen to be running a Cisco network. Once a device is plugged in, only that device can use the port. Unplug it and plug something else in and the port shuts down. In the same vein, Cisco has Network Access Control (NAC) for doing the antivirus checks, patch checks, etc. Your laptop doesnt meet certain criteria, it isnt allowed on the network. Al -Original Message- From: Al Mulnick [mailto:[EMAIL PROTECTED] Sent: Saturday, February 04, 2006 6:38 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Getting better control over DHCP Edwin, I'm sure you've noticed by now but joe and Brian (both) have given you a really good idea of what you need to do to solve this. As indicated, to achieve your goal of preventing any unauthorized access to the network, you'd pretty much have to have control at the phys layer. By that I mean you'd have to control who/what can gain access there. I think you'll want to plan (as joe suggests) because issues such as temporary access i.e. a vendor is working on site for 2 weeks and requires limited access to the internet for the job function, or somebody needs to roam to another site where they don't have access. You also need something that's as automated as you can get it because you certainly can't scale a solution that requires knowing something like a MAC; ask any firewall admin that has had to do that :) Even if you did know the MAC, that's not enough to secure your network IMHO. The NAP idea coupled with some ideas around multiple networks would likely get you much closer to solving your problem(s). I don't view a solution that requires a new OS os special software to be a solution however. Too many variables that need to work i.e. linux laptops, old-ish clients (XP is getting long in tooth and many haven't even upgraded to that yet!) Nope, to me it needs to be isolated from the OS that wants access and not require specialized client software. It should include authenticated access and a method to allow access long enough to become authenticated. My $0.04 worth, as if you needed it. Al On 2/4/06, Brian Puhl [EMAIL PROTECTED] wrote: At Microsoft we do not use 802.1x, so if you were to walk up to a port on our corporate network and plug in, you would get an IP and have access to some things. What we do instead is domain isolation via IPSec, which means that machines which are not joined to an MSIT managed domain (basically, our production forests) cannot establish connections with machines that are in our domains. Rather than deploying 802.1x, we are in the process of implementing Network Access Protection, which is a Longhorn/Vista feature.Basically when a machine connects to the network it is quarantined and must pass a health check (think patches, AV, and any other config we want to mandate) before they are released from quarantine.We haven't deployed this widely, it's still in an engineering phase, however this is the direction we're taking our network controls. The connect to the network using plastic thingy with chip would be our VPN solution, which we implemented.Effectively it's NAP as described above, but requires smartcards (plastic thingys) for authentication and the VPN client performs the health check. Brian Puhl Microsoft IT -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Dean Wells Sent: Friday, February 03, 2006 7:19 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Getting better control over DHCP Microsoft uses 802.1x auth. I believe ... as do many. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, February 03, 2006 8:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Getting better control over DHCP Can't this be done with ...what is MS using? Is it Ipsec and smartcard authentication? You go to Redmond, stick in a rj45 and unless you have a lovely plastic thingy with a chip you don't get access on corpnet. joe wrote: There is nothing you can do around a DHCP server that will really help you as you point out. You simply need
[ActiveDir] Getting better control over DHCP
Is it possible within a domain on an authorized DHCP server to restrict what machines get a DHCP IP Address? For example, I want to prevent someone from bringing in an unauthorized laptop and getting an IP Address on the network. I want it to be so that if the machine is not a part of the domain, it does not get any network connectivity from the DHCP server. Thanks, Edwin
RE: [ActiveDir] Getting better control over DHCP
I'm not sure if it's the best way to do it, but you could set your entire scope to be in one exclusion range, then assign static DHCP to authorised MACs. After that, for added security, you could set a second scope to give out leases outside your network range so that unauth ppl will get a lease, but not be able to see anybody, only downside to that would be that the network savvy user could look under network settings and see what the IP of the DHCP server is and then assign a static IP within that range. HTH - Marc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of EdwinSent: February 3, 2006 20:13To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Getting better control over DHCP Is it possible within a domain on an authorized DHCP server to restrict what machines get a DHCP IP Address? For example, I want to prevent someone from bringing in an unauthorized laptop and getting an IP Address on the network. I want it to be so that if the machine is not a part of the domain, it does not get any network connectivity from the DHCP server. Thanks, Edwin
RE: [ActiveDir] Getting better control over DHCP
Assigning IPs based off of MAC addresses would be a huge headache! Besides, just as you said the network savvy person can easily find out the IP range if needed and assign them self an IP and spoof the MAC if needed. If something like this is possible, I would like to have a more concrete solution. But thank you very much for your reply. Edwi From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc A. Mapplebeck Sent: Friday, February 03, 2006 7:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Getting better control over DHCP I'm not sure if it's the best way to do it, but you could set your entire scope to be in one exclusion range, then assign static DHCP to authorised MACs. After that, for added security, you could set a second scope to give out leases outside your network range so that unauth ppl will get a lease, but not be able to see anybody, only downside to that would be that the network savvy user could look under network settings and see what the IP of the DHCP server is and then assign a static IP within that range. HTH - Marc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: February 3, 2006 20:13 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Getting better control over DHCP Is it possible within a domain on an authorized DHCP server to restrict what machines get a DHCP IP Address? For example, I want to prevent someone from bringing in an unauthorized laptop and getting an IP Address on the network. I want it to be so that if the machine is not a part of the domain, it does not get any network connectivity from the DHCP server. Thanks, Edwin
RE: [ActiveDir] Getting better control over DHCP
Only other option would be to use managed switches and again, you would need MACs of all auth. machines as you would need to register each MAC for them to filter traffic. Unfortunately, other than that, not that easy. - Marc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of EdwinSent: February 3, 2006 20:55To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Getting better control over DHCP Assigning IPs based off of MAC addresses would be a huge headache! Besides, just as you said the network savvy person can easily find out the IP range if needed and assign them self an IP and spoof the MAC if needed. If something like this is possible, I would like to have a more concrete solution. But thank you very much for your reply. Edwi From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc A. MapplebeckSent: Friday, February 03, 2006 7:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Getting better control over DHCP I'm not sure if it's the best way to do it, but you could set your entire scope to be in one exclusion range, then assign static DHCP to authorised MACs. After that, for added security, you could set a second scope to give out leases outside your network range so that unauth ppl will get a lease, but not be able to see anybody, only downside to that would be that the network savvy user could look under network settings and see what the IP of the DHCP server is and then assign a static IP within that range. HTH - Marc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of EdwinSent: February 3, 2006 20:13To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Getting better control over DHCP Is it possible within a domain on an authorized DHCP server to restrict what machines get a DHCP IP Address? For example, I want to prevent someone from bringing in an unauthorized laptop and getting an IP Address on the network. I want it to be so that if the machine is not a part of the domain, it does not get any network connectivity from the DHCP server. Thanks, Edwin
RE: [ActiveDir] Getting better control over DHCP
Youd have to go with DHCP reservations for each Mac you want to authorize. Some of the NAC and NAP stuff thats starting to come out from MS and Cisco is also an option to consider. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Friday, February 03, 2006 7:13 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Getting better control over DHCP Is it possible within a domain on an authorized DHCP server to restrict what machines get a DHCP IP Address? For example, I want to prevent someone from bringing in an unauthorized laptop and getting an IP Address on the network. I want it to be so that if the machine is not a part of the domain, it does not get any network connectivity from the DHCP server. Thanks, Edwin
RE: [ActiveDir] Getting better control over DHCP
There is nothing you can do around a DHCP server that will really help you as you point out. You simply need to plug into a port, enter any IP address or let one of the 169 addresses kick in and turn on a sniffer and you start seeing enough traffic to figure out where to come up with a random IP address at. All the DHCP server is is a helper, it doesn't give you network access, it helps you find it. This type of thing needs to be controlled either at the network level where the switches say, sorry you can't route packets anywhere but this private secured network or you need to make all proper network traffic secure with some kind of tunneling/vpn type tech. The later is quite popular for companies with wireless, you get on the wireless network and then have to VPN into the corporate network. That way anyone who compromises the WAPs still doesn't get anything but a network and all traffic from everyone properly on the network is encrypted. At best the company may allow you to surf out to the internet, this is especially good for companies who have visitors from other companies dropping by their facilities or are in close vicinity to other companies who may pick up their WAPs. You really want to start looking into Network Quarantine//Network Access Protection/etc. It is not a simple whip out in an hour solution, it will take forethought and possiblyupgrades of network infrastructure and your machines to do it correctly. But with it you can set specific policy on who gets to get on the real network and who doesn't, this includes things like domain membership as well as what software is installed on machines and virus definition levels or OS fix levels, etc. You write the policy that the clients have to meet or else they don't get anything but a dead network. I would recommend going to google, typing in network quarantine and hit enter. You will almost certainly see several hits on MS because they have been spending a lot of time and energy the last 4 or so years working on this stuff and getting all of the right hardware people together to make a good solution. They had some preliminary stuff done a couple of years ago that people were really interested in but started redesigning some of it to make it more flexible/capable. I expect most ofwhat happensin this space will most likely fall out ofCisco and Microsoft. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of EdwinSent: Friday, February 03, 2006 7:55 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Getting better control over DHCP Assigning IPs based off of MAC addresses would be a huge headache! Besides, just as you said the network savvy person can easily find out the IP range if needed and assign them self an IP and spoof the MAC if needed. If something like this is possible, I would like to have a more concrete solution. But thank you very much for your reply. Edwi From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc A. MapplebeckSent: Friday, February 03, 2006 7:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Getting better control over DHCP I'm not sure if it's the best way to do it, but you could set your entire scope to be in one exclusion range, then assign static DHCP to authorised MACs. After that, for added security, you could set a second scope to give out leases outside your network range so that unauth ppl will get a lease, but not be able to see anybody, only downside to that would be that the network savvy user could look under network settings and see what the IP of the DHCP server is and then assign a static IP within that range. HTH - Marc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of EdwinSent: February 3, 2006 20:13To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Getting better control over DHCP Is it possible within a domain on an authorized DHCP server to restrict what machines get a DHCP IP Address? For example, I want to prevent someone from bringing in an unauthorized laptop and getting an IP Address on the network. I want it to be so that if the machine is not a part of the domain, it does not get any network connectivity from the DHCP server. Thanks, Edwin
Re: [ActiveDir] Getting better control over DHCP
Can't this be done with ...what is MS using? Is it Ipsec and smartcard authentication? You go to Redmond, stick in a rj45 and unless you have a lovely plastic thingy with a chip you don't get access on corpnet. joe wrote: There is nothing you can do around a DHCP server that will really help you as you point out. You simply need to plug into a port, enter any IP address or let one of the 169 addresses kick in and turn on a sniffer and you start seeing enough traffic to figure out where to come up with a random IP address at. All the DHCP server is is a helper, it doesn't give you network access, it helps you find it. This type of thing needs to be controlled either at the network level where the switches say, sorry you can't route packets anywhere but this private secured network or you need to make all proper network traffic secure with some kind of tunneling/vpn type tech. The later is quite popular for companies with wireless, you get on the wireless network and then have to VPN into the corporate network. That way anyone who compromises the WAPs still doesn't get anything but a network and all traffic from everyone properly on the network is encrypted. At best the company may allow you to surf out to the internet, this is especially good for companies who have visitors from other companies dropping by their facilities or are in close vicinity to other companies who may pick up their WAPs. You really want to start looking into Network Quarantine//Network Access Protection/etc. It is not a simple whip out in an hour solution, it will take forethought and possibly upgrades of network infrastructure and your machines to do it correctly. But with it you can set specific policy on who gets to get on the real network and who doesn't, this includes things like domain membership as well as what software is installed on machines and virus definition levels or OS fix levels, etc. You write the policy that the clients have to meet or else they don't get anything but a dead network. I would recommend going to google, typing in network quarantine and hit enter. You will almost certainly see several hits on MS because they have been spending a lot of time and energy the last 4 or so years working on this stuff and getting all of the right hardware people together to make a good solution. They had some preliminary stuff done a couple of years ago that people were really interested in but started redesigning some of it to make it more flexible/capable. I expect most of what happens in this space will most likely fall out of Cisco and Microsoft. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Edwin *Sent:* Friday, February 03, 2006 7:55 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Getting better control over DHCP Assigning IP’s based off of MAC addresses would be a huge headache! Besides, just as you said the “network savvy” person can easily find out the IP range if needed and assign them self an IP and spoof the MAC if needed. If something like this is possible, I would like to have a more concrete solution. But thank you very much for your reply. Edwi *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Marc A. Mapplebeck *Sent:* Friday, February 03, 2006 7:38 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Getting better control over DHCP I'm not sure if it's the best way to do it, but you could set your entire scope to be in one exclusion range, then assign static DHCP to authorised MACs. After that, for added security, you could set a second scope to give out leases outside your network range so that unauth ppl will get a lease, but not be able to see anybody, only downside to that would be that the network savvy user could look under network settings and see what the IP of the DHCP server is and then assign a static IP within that range. HTH - Marc *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Edwin *Sent:* February 3, 2006 20:13 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Getting better control over DHCP Is it possible within a domain on an authorized DHCP server to restrict what machines get a DHCP IP Address? For example, I want to prevent someone from bringing in an unauthorized laptop and getting an IP Address on the network. I want it to be so that if the machine is not a part of the domain, it does not get any network connectivity from the DHCP server. Thanks, Edwin -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ
RE: [ActiveDir] Getting better control over DHCP
Yeah that is the tunneling/vpn stuff I mentioned and pointed out wireless as an example. You can do that with your regular network stuff too. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, February 03, 2006 8:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Getting better control over DHCP Can't this be done with ...what is MS using? Is it Ipsec and smartcard authentication? You go to Redmond, stick in a rj45 and unless you have a lovely plastic thingy with a chip you don't get access on corpnet. joe wrote: There is nothing you can do around a DHCP server that will really help you as you point out. You simply need to plug into a port, enter any IP address or let one of the 169 addresses kick in and turn on a sniffer and you start seeing enough traffic to figure out where to come up with a random IP address at. All the DHCP server is is a helper, it doesn't give you network access, it helps you find it. This type of thing needs to be controlled either at the network level where the switches say, sorry you can't route packets anywhere but this private secured network or you need to make all proper network traffic secure with some kind of tunneling/vpn type tech. The later is quite popular for companies with wireless, you get on the wireless network and then have to VPN into the corporate network. That way anyone who compromises the WAPs still doesn't get anything but a network and all traffic from everyone properly on the network is encrypted. At best the company may allow you to surf out to the internet, this is especially good for companies who have visitors from other companies dropping by their facilities or are in close vicinity to other companies who may pick up their WAPs. You really want to start looking into Network Quarantine//Network Access Protection/etc. It is not a simple whip out in an hour solution, it will take forethought and possibly upgrades of network infrastructure and your machines to do it correctly. But with it you can set specific policy on who gets to get on the real network and who doesn't, this includes things like domain membership as well as what software is installed on machines and virus definition levels or OS fix levels, etc. You write the policy that the clients have to meet or else they don't get anything but a dead network. I would recommend going to google, typing in network quarantine and hit enter. You will almost certainly see several hits on MS because they have been spending a lot of time and energy the last 4 or so years working on this stuff and getting all of the right hardware people together to make a good solution. They had some preliminary stuff done a couple of years ago that people were really interested in but started redesigning some of it to make it more flexible/capable. I expect most of what happens in this space will most likely fall out of Cisco and Microsoft. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Edwin *Sent:* Friday, February 03, 2006 7:55 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Getting better control over DHCP Assigning IP's based off of MAC addresses would be a huge headache! Besides, just as you said the network savvy person can easily find out the IP range if needed and assign them self an IP and spoof the MAC if needed. If something like this is possible, I would like to have a more concrete solution. But thank you very much for your reply. Edwi *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Marc A. Mapplebeck *Sent:* Friday, February 03, 2006 7:38 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Getting better control over DHCP I'm not sure if it's the best way to do it, but you could set your entire scope to be in one exclusion range, then assign static DHCP to authorised MACs. After that, for added security, you could set a second scope to give out leases outside your network range so that unauth ppl will get a lease, but not be able to see anybody, only downside to that would be that the network savvy user could look under network settings and see what the IP of the DHCP server is and then assign a static IP within that range. HTH - Marc *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Edwin *Sent:* February 3, 2006 20:13 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Getting better
RE: [ActiveDir] Getting better control over DHCP
Joe, From what I understand of MS NAP, it only helps if the machines belong to the domain, is that correct? It doesnt stop someone from plugging in and hard coding an IP. I get the impression it is designed to be used in conjunction with Ciscos CleanAccess product. Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, February 03, 2006 7:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Getting better control over DHCP There is nothing you can do around a DHCP server that will really help you as you point out. You simply need to plug into a port, enter any IP address or let one of the 169 addresses kick in and turn on a sniffer and you start seeing enough traffic to figure out where to come up with a random IP address at. All the DHCP server is is a helper, it doesn't give you network access, it helps you find it. This type of thing needs to be controlled either at the network level where the switches say, sorry you can't route packets anywhere but this private secured network or you need to make all proper network traffic secure with some kind of tunneling/vpn type tech. The later is quite popular for companies with wireless, you get on the wireless network and then have to VPN into the corporate network. That way anyone who compromises the WAPs still doesn't get anything but a network and all traffic from everyone properly on the network is encrypted. At best the company may allow you to surf out to the internet, this is especially good for companies who have visitors from other companies dropping by their facilities or are in close vicinity to other companies who may pick up their WAPs. You really want to start looking into Network Quarantine//Network Access Protection/etc. It is not a simple whip out in an hour solution, it will take forethought and possiblyupgrades of network infrastructure and your machines to do it correctly. But with it you can set specific policy on who gets to get on the real network and who doesn't, this includes things like domain membership as well as what software is installed on machines and virus definition levels or OS fix levels, etc. You write the policy that the clients have to meet or else they don't get anything but a dead network. I would recommend going to google, typing in network quarantine and hit enter. You will almost certainly see several hits on MS because they have been spending a lot of time and energy the last 4 or so years working on this stuff and getting all of the right hardware people together to make a good solution. They had some preliminary stuff done a couple of years ago that people were really interested in but started redesigning some of it to make it more flexible/capable. I expect most ofwhat happensin this space will most likely fall out ofCisco and Microsoft. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Friday, February 03, 2006 7:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Getting better control over DHCP Assigning IPs based off of MAC addresses would be a huge headache! Besides, just as you said the network savvy person can easily find out the IP range if needed and assign them self an IP and spoof the MAC if needed. If something like this is possible, I would like to have a more concrete solution. But thank you very much for your reply. Edwi From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc A. Mapplebeck Sent: Friday, February 03, 2006 7:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Getting better control over DHCP I'm not sure if it's the best way to do it, but you could set your entire scope to be in one exclusion range, then assign static DHCP to authorised MACs. After that, for added security, you could set a second scope to give out leases outside your network range so that unauth ppl will get a lease, but not be able to see anybody, only downside to that would be that the network savvy user could look under network settings and see what the IP of the DHCP server is and then assign a static IP within that range. HTH - Marc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: February 3, 2006 20:13 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Getting better control over DHCP Is it possible within a domain on an authorized DHCP server to restrict what machines get a DHCP IP Address? For example, I want to prevent someone from bringing in an unauthorized laptop and getting an IP Address on the network. I want it to be so that if the machine is not a part of the domain, it does not get any network connectivity from the DHCP server. Thanks, Edwin
RE: [ActiveDir] Getting better control over DHCP
Microsoft uses 802.1x auth. I believe ... as do many. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, February 03, 2006 8:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Getting better control over DHCP Can't this be done with ...what is MS using? Is it Ipsec and smartcard authentication? You go to Redmond, stick in a rj45 and unless you have a lovely plastic thingy with a chip you don't get access on corpnet. joe wrote: There is nothing you can do around a DHCP server that will really help you as you point out. You simply need to plug into a port, enter any IP address or let one of the 169 addresses kick in and turn on a sniffer and you start seeing enough traffic to figure out where to come up with a random IP address at. All the DHCP server is is a helper, it doesn't give you network access, it helps you find it. This type of thing needs to be controlled either at the network level where the switches say, sorry you can't route packets anywhere but this private secured network or you need to make all proper network traffic secure with some kind of tunneling/vpn type tech. The later is quite popular for companies with wireless, you get on the wireless network and then have to VPN into the corporate network. That way anyone who compromises the WAPs still doesn't get anything but a network and all traffic from everyone properly on the network is encrypted. At best the company may allow you to surf out to the internet, this is especially good for companies who have visitors from other companies dropping by their facilities or are in close vicinity to other companies who may pick up their WAPs. You really want to start looking into Network Quarantine//Network Access Protection/etc. It is not a simple whip out in an hour solution, it will take forethought and possibly upgrades of network infrastructure and your machines to do it correctly. But with it you can set specific policy on who gets to get on the real network and who doesn't, this includes things like domain membership as well as what software is installed on machines and virus definition levels or OS fix levels, etc. You write the policy that the clients have to meet or else they don't get anything but a dead network. I would recommend going to google, typing in network quarantine and hit enter. You will almost certainly see several hits on MS because they have been spending a lot of time and energy the last 4 or so years working on this stuff and getting all of the right hardware people together to make a good solution. They had some preliminary stuff done a couple of years ago that people were really interested in but started redesigning some of it to make it more flexible/capable. I expect most of what happens in this space will most likely fall out of Cisco and Microsoft. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Edwin *Sent:* Friday, February 03, 2006 7:55 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Getting better control over DHCP Assigning IP's based off of MAC addresses would be a huge headache! Besides, just as you said the network savvy person can easily find out the IP range if needed and assign them self an IP and spoof the MAC if needed. If something like this is possible, I would like to have a more concrete solution. But thank you very much for your reply. Edwi *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Marc A. Mapplebeck *Sent:* Friday, February 03, 2006 7:38 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Getting better control over DHCP I'm not sure if it's the best way to do it, but you could set your entire scope to be in one exclusion range, then assign static DHCP to authorised MACs. After that, for added security, you could set a second scope to give out leases outside your network range so that unauth ppl will get a lease, but not be able to see anybody, only downside to that would be that the network savvy user could look under network settings and see what the IP of the DHCP server is and then assign a static IP within that range. HTH - Marc *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Edwin *Sent:* February 3, 2006 20:13 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Getting better control over DHCP Is it possible within a domain on an authorized DHCP server
Re: [ActiveDir] Getting better control over DHCP
Actually I don't think it was as there's a security issue with 802.1x wired connections.. (wireless no, wired there's an issue that Slav and Steve Riley have discussed) Let me get a post Dean Wells wrote: Microsoft uses 802.1x auth. I believe ... as do many. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, February 03, 2006 8:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Getting better control over DHCP Can't this be done with ...what is MS using? Is it Ipsec and smartcard authentication? You go to Redmond, stick in a rj45 and unless you have a lovely plastic thingy with a chip you don't get access on corpnet. joe wrote: There is nothing you can do around a DHCP server that will really help you as you point out. You simply need to plug into a port, enter any IP address or let one of the 169 addresses kick in and turn on a sniffer and you start seeing enough traffic to figure out where to come up with a random IP address at. All the DHCP server is is a helper, it doesn't give you network access, it helps you find it. This type of thing needs to be controlled either at the network level where the switches say, sorry you can't route packets anywhere but this private secured network or you need to make all proper network traffic secure with some kind of tunneling/vpn type tech. The later is quite popular for companies with wireless, you get on the wireless network and then have to VPN into the corporate network. That way anyone who compromises the WAPs still doesn't get anything but a network and all traffic from everyone properly on the network is encrypted. At best the company may allow you to surf out to the internet, this is especially good for companies who have visitors from other companies dropping by their facilities or are in close vicinity to other companies who may pick up their WAPs. You really want to start looking into Network Quarantine//Network Access Protection/etc. It is not a simple whip out in an hour solution, it will take forethought and possibly upgrades of network infrastructure and your machines to do it correctly. But with it you can set specific policy on who gets to get on the real network and who doesn't, this includes things like domain membership as well as what software is installed on machines and virus definition levels or OS fix levels, etc. You write the policy that the clients have to meet or else they don't get anything but a dead network. I would recommend going to google, typing in network quarantine and hit enter. You will almost certainly see several hits on MS because they have been spending a lot of time and energy the last 4 or so years working on this stuff and getting all of the right hardware people together to make a good solution. They had some preliminary stuff done a couple of years ago that people were really interested in but started redesigning some of it to make it more flexible/capable. I expect most of what happens in this space will most likely fall out of Cisco and Microsoft. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Edwin *Sent:* Friday, February 03, 2006 7:55 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Getting better control over DHCP Assigning IP's based off of MAC addresses would be a huge headache! Besides, just as you said the network savvy person can easily find out the IP range if needed and assign them self an IP and spoof the MAC if needed. If something like this is possible, I would like to have a more concrete solution. But thank you very much for your reply. Edwi *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Marc A. Mapplebeck *Sent:* Friday, February 03, 2006 7:38 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Getting better control over DHCP I'm not sure if it's the best way to do it, but you could set your entire scope to be in one exclusion range, then assign static DHCP to authorised MACs. After that, for added security, you could set a second scope to give out leases outside your network range so that unauth ppl will get a lease, but not be able to see anybody, only downside to that would be that the network savvy user could look under network settings and see what the IP of the DHCP server is and then assign a static IP within that range. HTH - Marc *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Edwin *Sent:* February 3, 2006 20:13
Re: [ActiveDir] Getting better control over DHCP
Yup not 802.1x for wired connections...wireless yes, but wired there's an issue. Mitigating the Threats of Rogue Machines—802.1X or IPsec? -- TechNet Column - Security Management - August 2005: http://www.microsoft.com/technet/community/columns/secmgmt/sm0805.mspx Article by the Blonde guy of the Northwest Riley clan --- http://www.microsoft.com/technet/itsolutions/msit/default.mspx This article talks about our IPsec implementation and has a short section on why we chose it over 802.1x: http://www.microsoft.com/technet/itsolutions/msit/security/ipsecdomisolwp.mspx http://www.microsoft.com/technet/itsolutions/msit/security/ipsecdomisolwp.mspx#EDAA This article shows how we implemented wireless security using 802.1x EAP/TLS: http://www.microsoft.com/technet/itsolutions/msit/security/secwlan.mspx http://www.microsoft.com/technet/itsolutions/msit/security/secwlan.mspx Dean Wells wrote: Microsoft uses 802.1x auth. I believe ... as do many. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, February 03, 2006 8:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Getting better control over DHCP Can't this be done with ...what is MS using? Is it Ipsec and smartcard authentication? You go to Redmond, stick in a rj45 and unless you have a lovely plastic thingy with a chip you don't get access on corpnet. joe wrote: There is nothing you can do around a DHCP server that will really help you as you point out. You simply need to plug into a port, enter any IP address or let one of the 169 addresses kick in and turn on a sniffer and you start seeing enough traffic to figure out where to come up with a random IP address at. All the DHCP server is is a helper, it doesn't give you network access, it helps you find it. This type of thing needs to be controlled either at the network level where the switches say, sorry you can't route packets anywhere but this private secured network or you need to make all proper network traffic secure with some kind of tunneling/vpn type tech. The later is quite popular for companies with wireless, you get on the wireless network and then have to VPN into the corporate network. That way anyone who compromises the WAPs still doesn't get anything but a network and all traffic from everyone properly on the network is encrypted. At best the company may allow you to surf out to the internet, this is especially good for companies who have visitors from other companies dropping by their facilities or are in close vicinity to other companies who may pick up their WAPs. You really want to start looking into Network Quarantine//Network Access Protection/etc. It is not a simple whip out in an hour solution, it will take forethought and possibly upgrades of network infrastructure and your machines to do it correctly. But with it you can set specific policy on who gets to get on the real network and who doesn't, this includes things like domain membership as well as what software is installed on machines and virus definition levels or OS fix levels, etc. You write the policy that the clients have to meet or else they don't get anything but a dead network. I would recommend going to google, typing in network quarantine and hit enter. You will almost certainly see several hits on MS because they have been spending a lot of time and energy the last 4 or so years working on this stuff and getting all of the right hardware people together to make a good solution. They had some preliminary stuff done a couple of years ago that people were really interested in but started redesigning some of it to make it more flexible/capable. I expect most of what happens in this space will most likely fall out of Cisco and Microsoft. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Edwin *Sent:* Friday, February 03, 2006 7:55 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Getting better control over DHCP Assigning IP's based off of MAC addresses would be a huge headache! Besides, just as you said the network savvy person can easily find out the IP range if needed and assign them self an IP and spoof the MAC if needed. If something like this is possible, I would like to have a more concrete solution. But thank you very much for your reply. Edwi *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Marc A. Mapplebeck *Sent:* Friday, February 03, 2006 7:38 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Getting
RE: [ActiveDir] Getting better control over DHCP
Title: Re: [ActiveDir] Getting better control over DHCP I was under the impression it was 802.1x. Your certificate is stored on the smartcard. Cheers Ken From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]Sent: Sat 2/4/2006 2:25 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Getting better control over DHCP Actually I don't think it was as there's a security issue with 802.1xwired connections.. (wireless no, wired there's an issue that Slav andSteve Riley have discussed)Let me get a postDean Wells wrote:Microsoft uses 802.1x auth. I believe ... as do many.--Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPAaka Ebitz - SBS Rocks [MVP]Sent: Friday, February 03, 2006 8:42 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Getting better control over DHCPCan't this be done with ...what is MS using? Is it Ipsec and smartcardauthentication?You go to Redmond, stick in a rj45 and unless you have a lovely plasticthingy with a chip you don't get access on corpnet.joe wrote:There is nothing you can do around a DHCP server that will really helpyou as you point out. You simply need to plug into a port, enter anyIP address or let one of the 169 addresses kick in and turn on asniffer and you start seeing enough traffic to figure out where tocome up with a random IP address at. All the DHCP server is is ahelper, it doesn't give you network access, it helps you find it. Thistype of thing needs to be controlled either at the network level wherethe switches say, sorry you can't route packets anywhere but thisprivate secured network or you need to make all proper network trafficsecure with some kind of tunneling/vpn type tech. The later is quitepopular for companies with wireless, you get on the wireless networkand then have to VPN into the corporate network. That way anyone whocompromises the WAPs still doesn't get anything but a network and alltraffic from everyone properly on the network is encrypted. At bestthe company may allow you to surf out to the internet, this isespecially good for companies who have visitors from other companiesdropping by their facilities or are in close vicinity to othercompanies who may pick up their WAPs.You really want to start looking into Network Quarantine//NetworkAccess Protection/etc. It is not a simple whip out in an hoursolution, it will take forethought and possibly upgrades of networkinfrastructure and your machines to do it correctly. But with it youcan set specific policy on who gets to get on the real network and whodoesn't, this includes things like domain membership as well as whatsoftware is installed on machines and virus definition levels or OSfix levels, etc. You write the policy that the clients have to meet orelse they don't get anything but a dead network.I would recommend going to google, typing in network quarantine andhit enter. You will almost certainly see several hits on MS becausethey have been spending a lot of time and energy the last 4 or soyears working on this stuff and getting all of the right hardwarepeople together to make a good solution. They had some preliminarystuff done a couple of years ago that people were really interested inbut started redesigning some of it to make it more flexible/capable. Iexpect most of what happens in this space will most likely fall out ofCisco and Microsoft.joe--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm
Re: [ActiveDir] Getting better control over DHCP
Not that I was told.. not on a wired connection as there is a security issue (see the other post)...it's IPsec that I'm aware of. If the blue badges want to confirm or deny those links/info I'm sure one will chime in. I've also seen that when a blue badge goes to a different LAN (whatever they call the difference between the Mothership Redmond (main ship) and Mothership Charlotte (CSS support)) they first have to log in to that network with a wired connection, gain creds, then they can use the wireless for access. Not exactly sure the process behind that one...just know that's the process they do before wireless access is handed out. Ken Schaefer wrote: I was under the impression it was 802.1x. Your certificate is stored on the smartcard. Cheers Ken *From:* [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] *Sent:* Sat 2/4/2006 2:25 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Getting better control over DHCP Actually I don't think it was as there's a security issue with 802.1x wired connections.. (wireless no, wired there's an issue that Slav and Steve Riley have discussed) Let me get a post Dean Wells wrote: Microsoft uses 802.1x auth. I believe ... as do many. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, February 03, 2006 8:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Getting better control over DHCP Can't this be done with ...what is MS using? Is it Ipsec and smartcard authentication? You go to Redmond, stick in a rj45 and unless you have a lovely plastic thingy with a chip you don't get access on corpnet. joe wrote: There is nothing you can do around a DHCP server that will really help you as you point out. You simply need to plug into a port, enter any IP address or let one of the 169 addresses kick in and turn on a sniffer and you start seeing enough traffic to figure out where to come up with a random IP address at. All the DHCP server is is a helper, it doesn't give you network access, it helps you find it. This type of thing needs to be controlled either at the network level where the switches say, sorry you can't route packets anywhere but this private secured network or you need to make all proper network traffic secure with some kind of tunneling/vpn type tech. The later is quite popular for companies with wireless, you get on the wireless network and then have to VPN into the corporate network. That way anyone who compromises the WAPs still doesn't get anything but a network and all traffic from everyone properly on the network is encrypted. At best the company may allow you to surf out to the internet, this is especially good for companies who have visitors from other companies dropping by their facilities or are in close vicinity to other companies who may pick up their WAPs. You really want to start looking into Network Quarantine//Network Access Protection/etc. It is not a simple whip out in an hour solution, it will take forethought and possibly upgrades of network infrastructure and your machines to do it correctly. But with it you can set specific policy on who gets to get on the real network and who doesn't, this includes things like domain membership as well as what software is installed on machines and virus definition levels or OS fix levels, etc. You write the policy that the clients have to meet or else they don't get anything but a dead network. I would recommend going to google, typing in network quarantine and hit enter. You will almost certainly see several hits on MS because they have been spending a lot of time and energy the last 4 or so years working on this stuff and getting all of the right hardware people together to make a good solution. They had some preliminary stuff done a couple of years ago that people were really interested in but started redesigning some of it to make it more flexible/capable. I expect most of what happens in this space will most likely fall out of Cisco and Microsoft. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Getting better control over DHCP
IT's Showtime: http://www.microsoft.com/emea/itsshowtime/sessionh.aspx?videoid=9 If I remember right in this webcast Steve Riley discusses the issues with a wired 802.1x implementation. Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: Not that I was told.. not on a wired connection as there is a security issue (see the other post)...it's IPsec that I'm aware of. If the blue badges want to confirm or deny those links/info I'm sure one will chime in. I've also seen that when a blue badge goes to a different LAN (whatever they call the difference between the Mothership Redmond (main ship) and Mothership Charlotte (CSS support)) they first have to log in to that network with a wired connection, gain creds, then they can use the wireless for access. Not exactly sure the process behind that one...just know that's the process they do before wireless access is handed out. Ken Schaefer wrote: I was under the impression it was 802.1x. Your certificate is stored on the smartcard. Cheers Ken *From:* [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] *Sent:* Sat 2/4/2006 2:25 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Getting better control over DHCP Actually I don't think it was as there's a security issue with 802.1x wired connections.. (wireless no, wired there's an issue that Slav and Steve Riley have discussed) Let me get a post Dean Wells wrote: Microsoft uses 802.1x auth. I believe ... as do many. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, February 03, 2006 8:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Getting better control over DHCP Can't this be done with ...what is MS using? Is it Ipsec and smartcard authentication? You go to Redmond, stick in a rj45 and unless you have a lovely plastic thingy with a chip you don't get access on corpnet. joe wrote: There is nothing you can do around a DHCP server that will really help you as you point out. You simply need to plug into a port, enter any IP address or let one of the 169 addresses kick in and turn on a sniffer and you start seeing enough traffic to figure out where to come up with a random IP address at. All the DHCP server is is a helper, it doesn't give you network access, it helps you find it. This type of thing needs to be controlled either at the network level where the switches say, sorry you can't route packets anywhere but this private secured network or you need to make all proper network traffic secure with some kind of tunneling/vpn type tech. The later is quite popular for companies with wireless, you get on the wireless network and then have to VPN into the corporate network. That way anyone who compromises the WAPs still doesn't get anything but a network and all traffic from everyone properly on the network is encrypted. At best the company may allow you to surf out to the internet, this is especially good for companies who have visitors from other companies dropping by their facilities or are in close vicinity to other companies who may pick up their WAPs. You really want to start looking into Network Quarantine//Network Access Protection/etc. It is not a simple whip out in an hour solution, it will take forethought and possibly upgrades of network infrastructure and your machines to do it correctly. But with it you can set specific policy on who gets to get on the real network and who doesn't, this includes things like domain membership as well as what software is installed on machines and virus definition levels or OS fix levels, etc. You write the policy that the clients have to meet or else they don't get anything but a dead network. I would recommend going to google, typing in network quarantine and hit enter. You will almost certainly see several hits on MS because they have been spending a lot of time and energy the last 4 or so years working on this stuff and getting all of the right hardware people together to make a good solution. They had some preliminary stuff done a couple of years ago that people were really interested in but started redesigning some of it to make it more flexible/capable. I expect most of what happens in this space will most likely fall out of Cisco and Microsoft. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Getting better control over DHCP
At Microsoft we do not use 802.1x, so if you were to walk up to a port on our corporate network and plug in, you would get an IP and have access to some things. What we do instead is domain isolation via IPSec, which means that machines which are not joined to an MSIT managed domain (basically, our production forests) cannot establish connections with machines that are in our domains. Rather than deploying 802.1x, we are in the process of implementing Network Access Protection, which is a Longhorn/Vista feature. Basically when a machine connects to the network it is quarantined and must pass a health check (think patches, AV, and any other config we want to mandate) before they are released from quarantine. We haven't deployed this widely, it's still in an engineering phase, however this is the direction we're taking our network controls. The connect to the network using plastic thingy with chip would be our VPN solution, which we implemented. Effectively it's NAP as described above, but requires smartcards (plastic thingys) for authentication and the VPN client performs the health check. Brian Puhl Microsoft IT -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, February 03, 2006 7:19 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Getting better control over DHCP Microsoft uses 802.1x auth. I believe ... as do many. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, February 03, 2006 8:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Getting better control over DHCP Can't this be done with ...what is MS using? Is it Ipsec and smartcard authentication? You go to Redmond, stick in a rj45 and unless you have a lovely plastic thingy with a chip you don't get access on corpnet. joe wrote: There is nothing you can do around a DHCP server that will really help you as you point out. You simply need to plug into a port, enter any IP address or let one of the 169 addresses kick in and turn on a sniffer and you start seeing enough traffic to figure out where to come up with a random IP address at. All the DHCP server is is a helper, it doesn't give you network access, it helps you find it. This type of thing needs to be controlled either at the network level where the switches say, sorry you can't route packets anywhere but this private secured network or you need to make all proper network traffic secure with some kind of tunneling/vpn type tech. The later is quite popular for companies with wireless, you get on the wireless network and then have to VPN into the corporate network. That way anyone who compromises the WAPs still doesn't get anything but a network and all traffic from everyone properly on the network is encrypted. At best the company may allow you to surf out to the internet, this is especially good for companies who have visitors from other companies dropping by their facilities or are in close vicinity to other companies who may pick up their WAPs. You really want to start looking into Network Quarantine//Network Access Protection/etc. It is not a simple whip out in an hour solution, it will take forethought and possibly upgrades of network infrastructure and your machines to do it correctly. But with it you can set specific policy on who gets to get on the real network and who doesn't, this includes things like domain membership as well as what software is installed on machines and virus definition levels or OS fix levels, etc. You write the policy that the clients have to meet or else they don't get anything but a dead network. I would recommend going to google, typing in network quarantine and hit enter. You will almost certainly see several hits on MS because they have been spending a lot of time and energy the last 4 or so years working on this stuff and getting all of the right hardware people together to make a good solution. They had some preliminary stuff done a couple of years ago that people were really interested in but started redesigning some of it to make it more flexible/capable. I expect most of what happens in this space will most likely fall out of Cisco and Microsoft. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Edwin *Sent:* Friday, February 03, 2006 7:55 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Getting better control over DHCP Assigning IP's based off of MAC addresses would be a huge headache! Besides, just as you said the network savvy person can easily find out the IP range if needed and assign them self