Re: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?)
Duh!! You know how it is: too little sleep, too much to do ;) Thanks a lot for your idea ... I'm pretty sure I fly-read your post and then I "got" the idea myself ;) JJ On 16/01/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: "OTOH, I am wondering if it'd be possible to configure the routers so that they only allow DHCP OFFER/ACK/NACK from auth." In case you weren't sure - this is exactly what I was suggesting you consider, in my first post :) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava Sent: 16 January 2007 13:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) Sorry for the delay on getting back on this, had a few things piled up after New Year's... You're right on the fact that routers isolating the VLANs limit the impact of this issue... The "problem" is that the idea is to re-configure routers to forward DHCP traffic, so that we get DHCP service on all VLANs from one/a few DHCP servers, instead of having to setup a DHCP server on each VLAN. Somebody suggested having a multi-homed DHCP server, with a "leg" on each VLAN, so that we get containment and DHCP service on every VLAN. I don't know at the moment if that's possible (I have to check with the client, to see if their network topology has a "hub" where all VLANs "come close"). OTOH, I am wondering if it'd be possible to configure the routers so that they only allow DHCP OFFER/ACK/NACK from auth. DHCP servers (something similar to what we've done with the local filtering on the workstations)... We'd still have problems with a rogue DHCP server in a VLAN, but we wouldn't have to go the "multi-homed server" route... Thanks a lot for the input received so far. It's made me explore several options that I had not considered ;) As always, a pleasure. Javier -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: martes, 09 de enero de 2007 9:35 Para: ActiveDir@mail.activedir.org Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) Your last statement is true but then if routers restrict BOOTP traffic as I describe, then the rogue DHCP server will only affect the VLAN on which it exists. At least that way, you've reduced the impact. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava Sent: 08 January 2007 17:24 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) Hi, Neil!! That's another thing I'll have to look into :) I am aware that it's possile to do DHCP-proxy to pass along the DHCP requests to the proper servers. That's something that will have to be done, as the client's network is split in different VLAN segments, and in multiple locations/sites, and they'd like to have a reduced number of DHCP servers. But, useful and necessary as it is, this won't prevent a rogue/malicious DHCP server on the same LAN segment from playing havoc with the systems. Thanks for the heads-up though. Javier Jarava -----Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: lunes, 08 de enero de 2007 14:33 Para: ActiveDir@mail.activedir.org Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) In addition to the below, routers can be configured to only forward BOOTP packets to/from 'authorised' DHCP servers. neil ___ Neil Ruston Global Technology Infrastructure Nomura International plc Telephone: +44 (0) 20 7521 3481 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: 08 January 2007 13:27 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava > Sent: 08 January 2007 12:20 > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP > servers? (or how do you find it?) > > Hi all! > > Just wondering, is there a way to "prevent" a rogue DCHP server from > playing havoc with a network? > > I have been digging into "dhcp security" but I haven't really found > anything that makes it possible to auth. a DHCP server, so that the > clients don't fall for a rogue one. >
RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?)
On Cisco's you should be looking at a switchport level feature called DHCP snooping. ip helper-address does more than just forward DHCP packets just an FYI. The term I use for the issue with the routers is that they're plugged in backwards when someone gets the WAN and LAN confused. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 > -Original Message- > From: [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] On Behalf Of Al Garrett > Sent: Tuesday, January 16, 2007 11:29 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP > servers? (or how do you find it?) > > Not sure about other switch brandswe've been Cisco-centric for > years. > > The command in Cisco IOS is "ip helper-address x.x.x.x" to tell DHCP > packets where to go across VLANsbut > > This still doesn't prevent a rogue DHCP server from popping up on a > VLAN. (Think about a Linksys wired/wireless router brought to work by a > well-meaning but technically-challenged person and plugged into a local > port in order to get wireless in their cubicle/office) > > Al > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Tuesday, January 16, 2007 6:14 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP > servers? (or how do you find it?) > > "OTOH, I am wondering if it'd be possible to configure the routers so > that they only allow DHCP OFFER/ACK/NACK from auth." > > In case you weren't sure - this is exactly what I was suggesting you > consider, in my first post :) > > neil > > > -Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava > Sent: 16 January 2007 13:35 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP > servers? (or how do you find it?) > > Sorry for the delay on getting back on this, had a few things piled up > after New Year's... > > You're right on the fact that routers isolating the VLANs limit the > impact of this issue... The "problem" is that the idea is to > re-configure routers to forward DHCP traffic, so that we get DHCP > service on all VLANs from one/a few DHCP servers, instead of having to > setup a DHCP server on each VLAN. > > Somebody suggested having a multi-homed DHCP server, with a "leg" on > each VLAN, so that we get containment and DHCP service on every VLAN. I > don't know at the moment if that's possible (I have to check with the > client, to see if their network topology has a "hub" where all VLANs > "come close"). > OTOH, I am wondering if it'd be possible to configure the routers so > that they only allow DHCP OFFER/ACK/NACK from auth. DHCP servers > (something similar to what we've done with the local filtering on the > workstations)... > We'd still have problems with a rogue DHCP server in a VLAN, but we > wouldn't have to go the "multi-homed server" route... > > Thanks a lot for the input received so far. It's made me explore > several > options that I had not considered ;) > > As always, a pleasure. > > Javier > > -Mensaje original- > De: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] En nombre de > [EMAIL PROTECTED] Enviado el: martes, 09 de enero de 2007 9:35 > Para: ActiveDir@mail.activedir.org > Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP > servers? (or how do you find it?) > > Your last statement is true but then if routers restrict BOOTP traffic > as I describe, then the rogue DHCP server will only affect the VLAN on > which it exists. At least that way, you've reduced the impact. > > neil > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava > Sent: 08 January 2007 17:24 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP > servers? (or how do you find it?) > > Hi, Neil!! > > That's another thing I'll have to look into :) I am aware that it's > possile to do DHCP-proxy to pass along the DHCP requests to the proper > servers. > That's something that will have to be done, as the client's network is > split in different VLAN segments, and in multiple locations/sites, and > they'd like to have a reduced number of DHCP servers. > > But,
RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?)
Not sure about other switch brandswe've been Cisco-centric for years. The command in Cisco IOS is "ip helper-address x.x.x.x" to tell DHCP packets where to go across VLANsbut This still doesn't prevent a rogue DHCP server from popping up on a VLAN. (Think about a Linksys wired/wireless router brought to work by a well-meaning but technically-challenged person and plugged into a local port in order to get wireless in their cubicle/office) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, January 16, 2007 6:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) "OTOH, I am wondering if it'd be possible to configure the routers so that they only allow DHCP OFFER/ACK/NACK from auth." In case you weren't sure - this is exactly what I was suggesting you consider, in my first post :) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava Sent: 16 January 2007 13:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) Sorry for the delay on getting back on this, had a few things piled up after New Year's... You're right on the fact that routers isolating the VLANs limit the impact of this issue... The "problem" is that the idea is to re-configure routers to forward DHCP traffic, so that we get DHCP service on all VLANs from one/a few DHCP servers, instead of having to setup a DHCP server on each VLAN. Somebody suggested having a multi-homed DHCP server, with a "leg" on each VLAN, so that we get containment and DHCP service on every VLAN. I don't know at the moment if that's possible (I have to check with the client, to see if their network topology has a "hub" where all VLANs "come close"). OTOH, I am wondering if it'd be possible to configure the routers so that they only allow DHCP OFFER/ACK/NACK from auth. DHCP servers (something similar to what we've done with the local filtering on the workstations)... We'd still have problems with a rogue DHCP server in a VLAN, but we wouldn't have to go the "multi-homed server" route... Thanks a lot for the input received so far. It's made me explore several options that I had not considered ;) As always, a pleasure. Javier -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: martes, 09 de enero de 2007 9:35 Para: ActiveDir@mail.activedir.org Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) Your last statement is true but then if routers restrict BOOTP traffic as I describe, then the rogue DHCP server will only affect the VLAN on which it exists. At least that way, you've reduced the impact. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava Sent: 08 January 2007 17:24 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) Hi, Neil!! That's another thing I'll have to look into :) I am aware that it's possile to do DHCP-proxy to pass along the DHCP requests to the proper servers. That's something that will have to be done, as the client's network is split in different VLAN segments, and in multiple locations/sites, and they'd like to have a reduced number of DHCP servers. But, useful and necessary as it is, this won't prevent a rogue/malicious DHCP server on the same LAN segment from playing havoc with the systems. Thanks for the heads-up though. Javier Jarava -----Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: lunes, 08 de enero de 2007 14:33 Para: ActiveDir@mail.activedir.org Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) In addition to the below, routers can be configured to only forward BOOTP packets to/from 'authorised' DHCP servers. neil ___ Neil Ruston Global Technology Infrastructure Nomura International plc Telephone: +44 (0) 20 7521 3481 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: 08 January 2007 13:27 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava > Sent: 08 January 2007 1
RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?)
"OTOH, I am wondering if it'd be possible to configure the routers so that they only allow DHCP OFFER/ACK/NACK from auth." In case you weren't sure - this is exactly what I was suggesting you consider, in my first post :) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava Sent: 16 January 2007 13:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) Sorry for the delay on getting back on this, had a few things piled up after New Year's... You're right on the fact that routers isolating the VLANs limit the impact of this issue... The "problem" is that the idea is to re-configure routers to forward DHCP traffic, so that we get DHCP service on all VLANs from one/a few DHCP servers, instead of having to setup a DHCP server on each VLAN. Somebody suggested having a multi-homed DHCP server, with a "leg" on each VLAN, so that we get containment and DHCP service on every VLAN. I don't know at the moment if that's possible (I have to check with the client, to see if their network topology has a "hub" where all VLANs "come close"). OTOH, I am wondering if it'd be possible to configure the routers so that they only allow DHCP OFFER/ACK/NACK from auth. DHCP servers (something similar to what we've done with the local filtering on the workstations)... We'd still have problems with a rogue DHCP server in a VLAN, but we wouldn't have to go the "multi-homed server" route... Thanks a lot for the input received so far. It's made me explore several options that I had not considered ;) As always, a pleasure. Javier -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: martes, 09 de enero de 2007 9:35 Para: ActiveDir@mail.activedir.org Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) Your last statement is true but then if routers restrict BOOTP traffic as I describe, then the rogue DHCP server will only affect the VLAN on which it exists. At least that way, you've reduced the impact. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava Sent: 08 January 2007 17:24 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) Hi, Neil!! That's another thing I'll have to look into :) I am aware that it's possile to do DHCP-proxy to pass along the DHCP requests to the proper servers. That's something that will have to be done, as the client's network is split in different VLAN segments, and in multiple locations/sites, and they'd like to have a reduced number of DHCP servers. But, useful and necessary as it is, this won't prevent a rogue/malicious DHCP server on the same LAN segment from playing havoc with the systems. Thanks for the heads-up though. Javier Jarava -Mensaje original----- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: lunes, 08 de enero de 2007 14:33 Para: ActiveDir@mail.activedir.org Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) In addition to the below, routers can be configured to only forward BOOTP packets to/from 'authorised' DHCP servers. neil ___ Neil Ruston Global Technology Infrastructure Nomura International plc Telephone: +44 (0) 20 7521 3481 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: 08 January 2007 13:27 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava > Sent: 08 January 2007 12:20 > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP > servers? (or how do you find it?) > > Hi all! > > Just wondering, is there a way to "prevent" a rogue DCHP server from > playing havoc with a network? > > I have been digging into "dhcp security" but I haven't really found > anything that makes it possible to auth. a DHCP server, so that the > clients don't fall for a rogue one. > > >From what I've seen, the approach MS follows is that IF your DHCP > >server is > Windows-based, you have to "auth" it on the Domain. That prevents the > AD/infrastructure admins from shooting themselves on th
RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?)
Sorry for the delay on getting back on this, had a few things piled up after New Year's... You're right on the fact that routers isolating the VLANs limit the impact of this issue... The "problem" is that the idea is to re-configure routers to forward DHCP traffic, so that we get DHCP service on all VLANs from one/a few DHCP servers, instead of having to setup a DHCP server on each VLAN. Somebody suggested having a multi-homed DHCP server, with a "leg" on each VLAN, so that we get containment and DHCP service on every VLAN. I don't know at the moment if that's possible (I have to check with the client, to see if their network topology has a "hub" where all VLANs "come close"). OTOH, I am wondering if it'd be possible to configure the routers so that they only allow DHCP OFFER/ACK/NACK from auth. DHCP servers (something similar to what we've done with the local filtering on the workstations)... We'd still have problems with a rogue DHCP server in a VLAN, but we wouldn't have to go the "multi-homed server" route... Thanks a lot for the input received so far. It's made me explore several options that I had not considered ;) As always, a pleasure. Javier -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: martes, 09 de enero de 2007 9:35 Para: ActiveDir@mail.activedir.org Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) Your last statement is true but then if routers restrict BOOTP traffic as I describe, then the rogue DHCP server will only affect the VLAN on which it exists. At least that way, you've reduced the impact. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava Sent: 08 January 2007 17:24 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) Hi, Neil!! That's another thing I'll have to look into :) I am aware that it's possile to do DHCP-proxy to pass along the DHCP requests to the proper servers. That's something that will have to be done, as the client's network is split in different VLAN segments, and in multiple locations/sites, and they'd like to have a reduced number of DHCP servers. But, useful and necessary as it is, this won't prevent a rogue/malicious DHCP server on the same LAN segment from playing havoc with the systems. Thanks for the heads-up though. Javier Jarava -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: lunes, 08 de enero de 2007 14:33 Para: ActiveDir@mail.activedir.org Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) In addition to the below, routers can be configured to only forward BOOTP packets to/from 'authorised' DHCP servers. neil ___ Neil Ruston Global Technology Infrastructure Nomura International plc Telephone: +44 (0) 20 7521 3481 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: 08 January 2007 13:27 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava > Sent: 08 January 2007 12:20 > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP > servers? (or how do you find it?) > > Hi all! > > Just wondering, is there a way to "prevent" a rogue DCHP server from > playing havoc with a network? > > I have been digging into "dhcp security" but I haven't really found > anything that makes it possible to auth. a DHCP server, so that the > clients don't fall for a rogue one. > > >From what I've seen, the approach MS follows is that IF your DHCP > >server is > Windows-based, you have to "auth" it on the Domain. That prevents the > AD/infrastructure admins from shooting themselves on the foot by > having too many/improperly configured servers.. But that won't stop a > rogue VM from being a nuisance... > > I've found this problem in one of our customers sites. They use static > IP addressing, but we were setting up a few of their computers with a > different sw load and configuration, and they wanted to use DHCP to > make config changes more dynamic. When running on an isolated netowork > segment, all was fine, but once we moved "into" their network (to do a
RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?)
Your last statement is true but then if routers restrict BOOTP traffic as I describe, then the rogue DHCP server will only affect the VLAN on which it exists. At least that way, you've reduced the impact. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava Sent: 08 January 2007 17:24 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) Hi, Neil!! That's another thing I'll have to look into :) I am aware that it's possile to do DHCP-proxy to pass along the DHCP requests to the proper servers. That's something that will have to be done, as the client's network is split in different VLAN segments, and in multiple locations/sites, and they'd like to have a reduced number of DHCP servers. But, useful and necessary as it is, this won't prevent a rogue/malicious DHCP server on the same LAN segment from playing havoc with the systems. Thanks for the heads-up though. Javier Jarava -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: lunes, 08 de enero de 2007 14:33 Para: ActiveDir@mail.activedir.org Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) In addition to the below, routers can be configured to only forward BOOTP packets to/from 'authorised' DHCP servers. neil ___ Neil Ruston Global Technology Infrastructure Nomura International plc Telephone: +44 (0) 20 7521 3481 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: 08 January 2007 13:27 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava > Sent: 08 January 2007 12:20 > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP > servers? (or how do you find it?) > > Hi all! > > Just wondering, is there a way to "prevent" a rogue DCHP server from > playing havoc with a network? > > I have been digging into "dhcp security" but I haven't really found > anything that makes it possible to auth. a DHCP server, so that the > clients don't fall for a rogue one. > > >From what I've seen, the approach MS follows is that IF your DHCP > >server is > Windows-based, you have to "auth" it on the Domain. That prevents the > AD/infrastructure admins from shooting themselves on the foot by > having too many/improperly configured servers.. But that won't stop a > rogue VM from being a nuisance... > > I've found this problem in one of our customers sites. They use static > IP addressing, but we were setting up a few of their computers with a > different sw load and configuration, and they wanted to use DHCP to > make config changes more dynamic. When running on an isolated netowork > segment, all was fine, but once we moved "into" their network (to do a > pilot test) we found a DHCP server serving a range outside their own, > and really messing things up. You could try using DHCP classid. If you set it on your clients when you build them they will ignore anything with the "wrong" classid. I think you can also control via group policy. > What's more, nmap'ing the server, it had a VMWARE-owned MAC and no > open ports whatsoever (tcp/udp), at least that I could find. Strange > ;) > Probably an XP system with the firewall on. A real pain to manage > We managed to overcome the issuse because the software load included > an IP filtering component, so we decided to block > UDP/67 and UDP/68 traffic from all IP addresses and only allow it for > 255.255.255.255 and the IP address of the servers we were going to > use... But using a whitelist is a bit of a PITA, so I was wondering if > there was some other "cleaner" way to do it.. > > Thank a lot in advance > > Javier J > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ma/default.aspx > > ** This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless t
RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?)
Hi, Neil!! That's another thing I'll have to look into :) I am aware that it's possile to do DHCP-proxy to pass along the DHCP requests to the proper servers. That's something that will have to be done, as the client's network is split in different VLAN segments, and in multiple locations/sites, and they'd like to have a reduced number of DHCP servers. But, useful and necessary as it is, this won't prevent a rogue/malicious DHCP server on the same LAN segment from playing havoc with the systems. Thanks for the heads-up though. Javier Jarava -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: lunes, 08 de enero de 2007 14:33 Para: ActiveDir@mail.activedir.org Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) In addition to the below, routers can be configured to only forward BOOTP packets to/from 'authorised' DHCP servers. neil ___ Neil Ruston Global Technology Infrastructure Nomura International plc Telephone: +44 (0) 20 7521 3481 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: 08 January 2007 13:27 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava > Sent: 08 January 2007 12:20 > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP > servers? (or how do you find it?) > > Hi all! > > Just wondering, is there a way to "prevent" a rogue DCHP server from > playing havoc with a network? > > I have been digging into "dhcp security" but I haven't really found > anything that makes it possible to auth. a DHCP server, so that the > clients don't fall for a rogue one. > > >From what I've seen, the approach MS follows is that IF your DHCP > >server is > Windows-based, you have to "auth" it on the Domain. That prevents the > AD/infrastructure admins from shooting themselves on the foot by > having too many/improperly configured servers.. But that won't stop a > rogue VM from being a nuisance... > > I've found this problem in one of our customers sites. They use static > IP addressing, but we were setting up a few of their computers with a > different sw load and configuration, and they wanted to use DHCP to > make config changes more dynamic. When running on an isolated netowork > segment, all was fine, but once we moved "into" their network (to do a > pilot test) we found a DHCP server serving a range outside their own, > and really messing things up. You could try using DHCP classid. If you set it on your clients when you build them they will ignore anything with the "wrong" classid. I think you can also control via group policy. > What's more, nmap'ing the server, it had a VMWARE-owned MAC and no > open ports whatsoever (tcp/udp), at least that I could find. Strange > ;) > Probably an XP system with the firewall on. A real pain to manage > We managed to overcome the issuse because the software load included > an IP filtering component, so we decided to block > UDP/67 and UDP/68 traffic from all IP addresses and only allow it for > 255.255.255.255 and the IP address of the servers we were going to > use... But using a whitelist is a bit of a PITA, so I was wondering if > there was some other "cleaner" way to do it.. > > Thank a lot in advance > > Javier J > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ma/default.aspx > > ** This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx PLEASE READ: The
RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?)
Hi! Thanks for the tips on usign classid. Unfortunately, I'm not that sure if that'd work... >From what I've been able to read / see about DHCP ClassID, it's not really meant as a way to filter/select a DHCP server or to avoid getting a response from a "wrong" server, but more as a way for a server to filter/refine the results that the server sends back to the client. In this case, it's not really a case of "get the proper options" but rather of "not talk to the wrong server".. Of course, I might be wrong (and in this case, I'd really love to be proven wrong ;) But from I've seen at: http://technet2.microsoft.com/WindowsServer/en/library/13cbcfbd-2d9d-40fd-8b 54-5c8090924eb21033.mspx?mfr=true the classess are to be able to provide specialized/extra info to clients. I've done a bit of testing: I've set up one VM (XP SP2) with a (user) classid on its lan, and a W2003 DHCP VM Server with different options depending on the ClassID. The behaviour is as expected, the system gets different options (DNS servers, etc) depending on the classid. After that, I've turned off the DHCP server and started the VMware DHCP Service (where no classid or other options have been set). I've done a release/refresh on the network card, and I get an IP address from the "wrong" DHCP server (the desired behaviour is, if no "good" DHCP servers are listening, then the client should get no IP address). Maybe the client will be able to reject the offer from the wrong DHCP server when it (also) gets an offer from the proper DHCP server that is "branded" with the ClassID, but although somewhat useful that's not what I'm after... Maybe someone more familiar with DHCP than myself might correct me if my understanding of classid is wrong? Thanks a lot in advance. Javier Jarava -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Dave Wade Enviado el: lunes, 08 de enero de 2007 14:27 Para: ActiveDir@mail.activedir.org Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava > Sent: 08 January 2007 12:20 > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Likely OT: :) Managing/preventing > "rogue" DHCP servers? (or how do you find it?) > > Hi all! > > Just wondering, is there a way to "prevent" a rogue DCHP > server from playing havoc with a network? > > I have been digging into "dhcp security" but I haven't really > found anything that makes it possible to auth. a DHCP server, > so that the clients don't fall for a rogue one. > > >From what I've seen, the approach MS follows is that IF your DHCP > >server is > Windows-based, you have to "auth" it on the Domain. That > prevents the AD/infrastructure admins from shooting > themselves on the foot by having too many/improperly > configured servers.. But that won't stop a rogue VM from > being a nuisance... > > I've found this problem in one of our customers sites. They > use static IP addressing, but we were setting up a few of > their computers with a different sw load and configuration, > and they wanted to use DHCP to make config changes more > dynamic. When running on an isolated netowork segment, all > was fine, but once we moved "into" their network (to do a > pilot test) we found a DHCP server serving a range outside > their own, and really messing things up. You could try using DHCP classid. If you set it on your clients when you build them they will ignore anything with the "wrong" classid. I think you can also control via group policy. > What's more, nmap'ing the server, it had a VMWARE-owned MAC > and no open ports whatsoever (tcp/udp), at least that I could > find. Strange ;) > Probably an XP system with the firewall on. A real pain to manage > We managed to overcome the issuse because the software load > included an IP filtering component, so we decided to block > UDP/67 and UDP/68 traffic from all IP addresses and only > allow it for 255.255.255.255 and the IP address of the > servers we were going to use... But using a whitelist is a > bit of a PITA, so I was wondering if there was some other > "cleaner" way to do it.. > > Thank a lot in advance > > Javier J > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ma/default.aspx > > ** This email, and a
RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?)
Thanks a lot for the info. Will look into that carefully ;) Javier J -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de James (njan) Eaton-Lee Enviado el: lunes, 08 de enero de 2007 16:55 Para: ActiveDir@mail.activedir.org Asunto: Re: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) Javier Jarava wrote: > Hi all! > > Just wondering, is there a way to "prevent" a rogue DCHP server from playing > havoc with a network? > > I have been digging into "dhcp security" but I haven't really found anything > that makes it possible to auth. a DHCP server, so that the clients don't > fall for a rogue one. I wrote a paper on this (and put the slides for a presentation I did on it online). At the time (and still, apart from what I've stuck online), there doesn't seem to be any definitive guide to why DHCP is insecure and what one might do to improve it. It's not totally exhaustive, but I think it's reasonable: http://www.jeremiad.org/download.shtml Hope that helps! Feedback welcome, if anyone reads it ;) - James. -- James (njan) Eaton-Lee | UIN: 10807960 | http://www.jeremiad.org "The universe is run by the complex interweaving of three elements: Energy, matter, and enlightened self-interest." - G'Kar https://www.bsrf.org.uk | ca: https://www.cacert.org/index.php?id=3 -- List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?)
Javier Jarava wrote: Hi all! Just wondering, is there a way to "prevent" a rogue DCHP server from playing havoc with a network? I have been digging into "dhcp security" but I haven't really found anything that makes it possible to auth. a DHCP server, so that the clients don't fall for a rogue one. I wrote a paper on this (and put the slides for a presentation I did on it online). At the time (and still, apart from what I've stuck online), there doesn't seem to be any definitive guide to why DHCP is insecure and what one might do to improve it. It's not totally exhaustive, but I think it's reasonable: http://www.jeremiad.org/download.shtml Hope that helps! Feedback welcome, if anyone reads it ;) - James. -- James (njan) Eaton-Lee | UIN: 10807960 | http://www.jeremiad.org "The universe is run by the complex interweaving of three elements: Energy, matter, and enlightened self-interest." - G'Kar https://www.bsrf.org.uk | ca: https://www.cacert.org/index.php?id=3 -- smime.p7s Description: S/MIME Cryptographic Signature
RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?)
Hi! Thanks for the answer. The issue is/was, the client has a pretty big network and they don't have layer 1 access control in place. They DO have their network segmented using VLANs, at least on their HQ, where the testing was takin place. So we "knew" the rogue server was "close" to where we were testing: in the same VLAN. But that VLAN includes everybody from their IT dept (and they're a BIG client, with over 50,000 users in several hundreds, if not thousands, of locations, so they have a big IT dept). Another issue (not sure if it's relevant) is that the MAC address of the rogue server suggested that the server was in fact an VMWARE VM... So if the host computer has a "valid" network port on the switch, I guess that any of the VMs that use the same physical network card would be allowed to connect to the network -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Myrick, Todd (NIH/CC/DCRI) [E] Enviado el: lunes, 08 de enero de 2007 13:46 Para: ActiveDir@mail.activedir.org Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) Best I have seen is to control physical access to your network at layer 1. Things to include, don't activate ports until the device is provisioned. You might try a network monitor configured to listen for unauthorized offers from servers. The solution you posted below is pretty slick as well. It all depends on how secure your client wants their network to be ... and how useable. Todd -Original Message- From: Javier Jarava [mailto:[EMAIL PROTECTED] Sent: Monday, January 08, 2007 7:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) Hi all! Just wondering, is there a way to "prevent" a rogue DCHP server from playing havoc with a network? I have been digging into "dhcp security" but I haven't really found anything that makes it possible to auth. a DHCP server, so that the clients don't fall for a rogue one. >From what I've seen, the approach MS follows is that IF your DHCP server is Windows-based, you have to "auth" it on the Domain. That prevents the AD/infrastructure admins from shooting themselves on the foot by having too many/improperly configured servers.. But that won't stop a rogue VM from being a nuisance... I've found this problem in one of our customers sites. They use static IP addressing, but we were setting up a few of their computers with a different sw load and configuration, and they wanted to use DHCP to make config changes more dynamic. When running on an isolated netowork segment, all was fine, but once we moved "into" their network (to do a pilot test) we found a DHCP server serving a range outside their own, and really messing things up. What's more, nmap'ing the server, it had a VMWARE-owned MAC and no open ports whatsoever (tcp/udp), at least that I could find. Strange ;) We managed to overcome the issuse because the software load included an IP filtering component, so we decided to block UDP/67 and UDP/68 traffic from all IP addresses and only allow it for 255.255.255.255 and the IP address of the servers we were going to use... But using a whitelist is a bit of a PITA, so I was wondering if there was some other "cleaner" way to do it.. Thank a lot in advance Javier J List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?)
In addition to the below, routers can be configured to only forward BOOTP packets to/from 'authorised' DHCP servers. neil ___ Neil Ruston Global Technology Infrastructure Nomura International plc Telephone: +44 (0) 20 7521 3481 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: 08 January 2007 13:27 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava > Sent: 08 January 2007 12:20 > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP > servers? (or how do you find it?) > > Hi all! > > Just wondering, is there a way to "prevent" a rogue DCHP server from > playing havoc with a network? > > I have been digging into "dhcp security" but I haven't really found > anything that makes it possible to auth. a DHCP server, so that the > clients don't fall for a rogue one. > > >From what I've seen, the approach MS follows is that IF your DHCP > >server is > Windows-based, you have to "auth" it on the Domain. That prevents the > AD/infrastructure admins from shooting themselves on the foot by > having too many/improperly configured servers.. But that won't stop a > rogue VM from being a nuisance... > > I've found this problem in one of our customers sites. They use static > IP addressing, but we were setting up a few of their computers with a > different sw load and configuration, and they wanted to use DHCP to > make config changes more dynamic. When running on an isolated netowork > segment, all was fine, but once we moved "into" their network (to do a > pilot test) we found a DHCP server serving a range outside their own, > and really messing things up. You could try using DHCP classid. If you set it on your clients when you build them they will ignore anything with the "wrong" classid. I think you can also control via group policy. > What's more, nmap'ing the server, it had a VMWARE-owned MAC and no > open ports whatsoever (tcp/udp), at least that I could find. Strange > ;) > Probably an XP system with the firewall on. A real pain to manage > We managed to overcome the issuse because the software load included > an IP filtering component, so we decided to block > UDP/67 and UDP/68 traffic from all IP addresses and only allow it for > 255.255.255.255 and the IP address of the servers we were going to > use... But using a whitelist is a bit of a PITA, so I was wondering if > there was some other "cleaner" way to do it.. > > Thank a lot in advance > > Javier J > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ma/default.aspx > > ** This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not n
RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?)
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava > Sent: 08 January 2007 12:20 > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Likely OT: :) Managing/preventing > "rogue" DHCP servers? (or how do you find it?) > > Hi all! > > Just wondering, is there a way to "prevent" a rogue DCHP > server from playing havoc with a network? > > I have been digging into "dhcp security" but I haven't really > found anything that makes it possible to auth. a DHCP server, > so that the clients don't fall for a rogue one. > > >From what I've seen, the approach MS follows is that IF your DHCP > >server is > Windows-based, you have to "auth" it on the Domain. That > prevents the AD/infrastructure admins from shooting > themselves on the foot by having too many/improperly > configured servers.. But that won't stop a rogue VM from > being a nuisance... > > I've found this problem in one of our customers sites. They > use static IP addressing, but we were setting up a few of > their computers with a different sw load and configuration, > and they wanted to use DHCP to make config changes more > dynamic. When running on an isolated netowork segment, all > was fine, but once we moved "into" their network (to do a > pilot test) we found a DHCP server serving a range outside > their own, and really messing things up. You could try using DHCP classid. If you set it on your clients when you build them they will ignore anything with the "wrong" classid. I think you can also control via group policy. > What's more, nmap'ing the server, it had a VMWARE-owned MAC > and no open ports whatsoever (tcp/udp), at least that I could > find. Strange ;) > Probably an XP system with the firewall on. A real pain to manage > We managed to overcome the issuse because the software load > included an IP filtering component, so we decided to block > UDP/67 and UDP/68 traffic from all IP addresses and only > allow it for 255.255.255.255 and the IP address of the > servers we were going to use... But using a whitelist is a > bit of a PITA, so I was wondering if there was some other > "cleaner" way to do it.. > > Thank a lot in advance > > Javier J > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ma/default.aspx > > ** This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?)
Best I have seen is to control physical access to your network at layer 1. Things to include, don't activate ports until the device is provisioned. You might try a network monitor configured to listen for unauthorized offers from servers. The solution you posted below is pretty slick as well. It all depends on how secure your client wants their network to be ... and how useable. Todd -Original Message- From: Javier Jarava [mailto:[EMAIL PROTECTED] Sent: Monday, January 08, 2007 7:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) Hi all! Just wondering, is there a way to "prevent" a rogue DCHP server from playing havoc with a network? I have been digging into "dhcp security" but I haven't really found anything that makes it possible to auth. a DHCP server, so that the clients don't fall for a rogue one. >From what I've seen, the approach MS follows is that IF your DHCP server is Windows-based, you have to "auth" it on the Domain. That prevents the AD/infrastructure admins from shooting themselves on the foot by having too many/improperly configured servers.. But that won't stop a rogue VM from being a nuisance... I've found this problem in one of our customers sites. They use static IP addressing, but we were setting up a few of their computers with a different sw load and configuration, and they wanted to use DHCP to make config changes more dynamic. When running on an isolated netowork segment, all was fine, but once we moved "into" their network (to do a pilot test) we found a DHCP server serving a range outside their own, and really messing things up. What's more, nmap'ing the server, it had a VMWARE-owned MAC and no open ports whatsoever (tcp/udp), at least that I could find. Strange ;) We managed to overcome the issuse because the software load included an IP filtering component, so we decided to block UDP/67 and UDP/68 traffic from all IP addresses and only allow it for 255.255.255.255 and the IP address of the servers we were going to use... But using a whitelist is a bit of a PITA, so I was wondering if there was some other "cleaner" way to do it.. Thank a lot in advance Javier J List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx