RE: [ActiveDir] Secure DHCP

2005-05-16 Thread Fugleberg, David A 
Have you considered 802.1x with certificates on the authorized machines
?  XP supports it natively, and late model switches should support it.
You usually hear about it in the context of wireless, but it works in
wired networks too.  Just a thought.
Dave

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Monday, May 16, 2005 9:59 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Secure DHCP


I thought about that, but I think it would quickly become cumbersome to
manage. Kind of defeats most of the purpose of DHCP.

Dan

-Original Message-
From: Cace, Andrew [mailto:[EMAIL PROTECTED] 
Sent: Monday, May 16, 2005 10:48 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Secure DHCP

This would require some effort to configure and maintain, but what about
using DHCP reservations?  This will accomplish the goal of only allowing
approved PC's on your network.

-Andrew

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Monday, May 16, 2005 9:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Secure DHCP

At the lower layers of the OSI stack, the only way I'm aware of to block
computers from getting an IP address is to use port-based authentication
if your network hardware supports it. As Al mentioned, quarantine
networks are becoming a more realistic solution, but don't address the
basics of DHCP. Using IPSec to ensure only trusted computers can get
access to resources is a decent solution as well; the rogue PC can get
an address, but cannot connect to anything except perhaps the internet.
Not simple to set up, though...

Hmmm. Maybe we can develop a power over ethernet solution. Run 220V AC
through the ethernet cables and put a high-pass filter on the legit
machines. Then, if someone plugs a rogue laptop into the network, the
laptop gets a little hot... :-)

**
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
 

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
> Sent: Monday, May 16, 2005 7:00 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Secure DHCP
> 
> I am wondering if there is any way to secure DHCP from assigning
> leases to PCs that are not authorized on the domain. I imagine that 
> this is not possible since, in order to authenticate, a PC needs an IP

> address.
> 
> The problem is that the other day we had a rogue PC plug into our
> network and, though probably coincidental, our browse list was messed 
> up afterwards. So I have been tasked with finding out if there is a 
> way to prevent unauthorized PCs from obtaining IP leases on our 
> network (other than disabling all jacks not in use, which is what we 
> will be doing). If not, does anyone have any suggestions on how to 
> prevent the above situation in the future?
> 
>  
> 
> _
> 
>  
> 
> Daniel DeStefano
> 
> PC Support Specialist
> 
>  
> 
> IAG Research
> 
> 345 Park Avenue South, 12th Floor
> 
> New York, NY 10010
> 
> T. 212.871.5262
> 
> F. 212.871.5300
> 
>  
> 
> www.iagr.net <http://www.iagr.net/>
> 
> Measuring Ad Effectiveness on Television
> 
>  
> 
> The information contained in this communication is confidential, may
> be privileged and is intended for the exclusive use of the above named

> addressee(s). If you are not the intended recipient(s), you are
> expressly prohibited from copying, distributing, disseminating, or in 
> any other way using any of the information contained within this 
> communication. If you have received this communication in error, 
> please contact the sender by telephone 212.871.5262 or by response via

> e-mail.
> 
>  
> 
>  
> 
> 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Secure DHCP

2005-05-16 Thread Dan DeStefano 
I thought about that, but I think it would quickly become cumbersome to
manage. Kind of defeats most of the purpose of DHCP.

Dan

-Original Message-
From: Cace, Andrew [mailto:[EMAIL PROTECTED] 
Sent: Monday, May 16, 2005 10:48 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Secure DHCP

This would require some effort to configure and maintain, but what about
using DHCP reservations?  This will accomplish the goal of only allowing
approved PC's on your network.

-Andrew

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Monday, May 16, 2005 9:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Secure DHCP

At the lower layers of the OSI stack, the only way I'm aware of to block
computers from getting an IP address is to use port-based authentication
if
your network hardware supports it. As Al mentioned, quarantine networks
are
becoming a more realistic solution, but don't address the basics of
DHCP.
Using IPSec to ensure only trusted computers can get access to resources
is
a decent solution as well; the rogue PC can get an address, but cannot
connect to anything except perhaps the internet. Not simple to set up,
though...

Hmmm. Maybe we can develop a power over ethernet solution. Run 220V AC
through the ethernet cables and put a high-pass filter on the legit
machines. Then, if someone plugs a rogue laptop into the network, the
laptop
gets a little hot... :-)

**
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
 

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
> Sent: Monday, May 16, 2005 7:00 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Secure DHCP
> 
> I am wondering if there is any way to secure DHCP from assigning 
> leases to PCs that are not authorized on the domain. I imagine that 
> this is not possible since, in order to authenticate, a PC needs an IP

> address.
> 
> The problem is that the other day we had a rogue PC plug into our 
> network and, though probably coincidental, our browse list was messed 
> up afterwards. So I have been tasked with finding out if there is a 
> way to prevent unauthorized PCs from obtaining IP leases on our 
> network (other than disabling all jacks not in use, which is what we 
> will be doing). If not, does anyone have any suggestions on how to 
> prevent the above situation in the future?
> 
>  
> 
> _
> 
>  
> 
> Daniel DeStefano
> 
> PC Support Specialist
> 
>  
> 
> IAG Research
> 
> 345 Park Avenue South, 12th Floor
> 
> New York, NY 10010
> 
> T. 212.871.5262
> 
> F. 212.871.5300
> 
>  
> 
> www.iagr.net <http://www.iagr.net/>
> 
> Measuring Ad Effectiveness on Television
> 
>  
> 
> The information contained in this communication is confidential, may 
> be privileged and is intended for the exclusive use of the above named

> addressee(s). If you are not the intended recipient(s), you are 
> expressly prohibited from copying, distributing, disseminating, or in 
> any other way using any of the information contained within this 
> communication. If you have received this communication in error, 
> please contact the sender by telephone 212.871.5262 or by response via

> e-mail.
> 
>  
> 
>  
> 
> 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Secure DHCP

2005-05-16 Thread Cace, Andrew 
This would require some effort to configure and maintain, but what about
using DHCP reservations?  This will accomplish the goal of only allowing
approved PC's on your network.

-Andrew

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Monday, May 16, 2005 9:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Secure DHCP

At the lower layers of the OSI stack, the only way I'm aware of to block
computers from getting an IP address is to use port-based authentication if
your network hardware supports it. As Al mentioned, quarantine networks are
becoming a more realistic solution, but don't address the basics of DHCP.
Using IPSec to ensure only trusted computers can get access to resources is
a decent solution as well; the rogue PC can get an address, but cannot
connect to anything except perhaps the internet. Not simple to set up,
though...

Hmmm. Maybe we can develop a power over ethernet solution. Run 220V AC
through the ethernet cables and put a high-pass filter on the legit
machines. Then, if someone plugs a rogue laptop into the network, the laptop
gets a little hot... :-)

**
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
 

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
> Sent: Monday, May 16, 2005 7:00 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Secure DHCP
> 
> I am wondering if there is any way to secure DHCP from assigning 
> leases to PCs that are not authorized on the domain. I imagine that 
> this is not possible since, in order to authenticate, a PC needs an IP 
> address.
> 
> The problem is that the other day we had a rogue PC plug into our 
> network and, though probably coincidental, our browse list was messed 
> up afterwards. So I have been tasked with finding out if there is a 
> way to prevent unauthorized PCs from obtaining IP leases on our 
> network (other than disabling all jacks not in use, which is what we 
> will be doing). If not, does anyone have any suggestions on how to 
> prevent the above situation in the future?
> 
>  
> 
> _
> 
>  
> 
> Daniel DeStefano
> 
> PC Support Specialist
> 
>  
> 
> IAG Research
> 
> 345 Park Avenue South, 12th Floor
> 
> New York, NY 10010
> 
> T. 212.871.5262
> 
> F. 212.871.5300
> 
>  
> 
> www.iagr.net <http://www.iagr.net/>
> 
> Measuring Ad Effectiveness on Television
> 
>  
> 
> The information contained in this communication is confidential, may 
> be privileged and is intended for the exclusive use of the above named 
> addressee(s). If you are not the intended recipient(s), you are 
> expressly prohibited from copying, distributing, disseminating, or in 
> any other way using any of the information contained within this 
> communication. If you have received this communication in error, 
> please contact the sender by telephone 212.871.5262 or by response via 
> e-mail.
> 
>  
> 
>  
> 
> 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


smime.p7s
Description: S/MIME cryptographic signature

RE: [ActiveDir] Secure DHCP

2005-05-16 Thread Ruston, Neil 
Title: Message



MS has 
an offering named Quarantine Control which can be used to control RAS clients 
but this (today) does not apply to non-remote clients.
 
The 
following article implies that plans are in motion to extend this model to 
include non-remote clients although you'll need to wait for Longhorn server 
:(
 
http://www.windowsitpro.com/Windows/Article/ArticleID/44129/44129.html
 
Cisco 
offers a hardware based solution http://www.cisco.com/en/US/netsol/ns466/networking_solutions_package.html (not 
an endorsement)
 
 
neil

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Dan DeStefanoSent: 16 May 2005 
  15:00To: ActiveDir@mail.activedir.orgSubject: 
  [ActiveDir] Secure DHCP
  
  I am wondering if there is any way 
  to secure DHCP from assigning leases to PCs that are not authorized on the 
  domain. I imagine that this is not possible since, in order to authenticate, a 
  PC needs an IP address.
  The problem is that the other day 
  we had a rogue PC plug into our network and, though probably coincidental, our 
  browse list was messed up afterwards. So I have been tasked with finding out 
  if there is a way to prevent unauthorized PCs from obtaining IP leases on our 
  network (other than disabling all jacks not in use, which is what we will be 
  doing). If not, does anyone have any suggestions on how to prevent the above 
  situation in the future?
   
  _
   
  Daniel DeStefano
  PC Support 
  Specialist
   
  IAG 
  Research
  345 Park 
  Avenue South, 12th 
  Floor
  New 
  York, NY 10010
  T. 212.871.5262
  F. 212.871.5300
   
  www.iagr.net
  Measuring Ad Effectiveness on 
  Television
   
  The information contained 
  in this communication is confidential, may be privileged and is intended for 
  the exclusive use of the above named addressee(s). If you are not the intended 
  recipient(s), you are expressly prohibited from copying, distributing, 
  disseminating, or in any other way using any of the information contained 
  within this communication. If you have received this communication in error, 
  please contact the sender by telephone 212.871.5262 or by response via 
  e-mail.
  
   
   

==
This message is for the sole use of the intended recipient. If you received 
this message in error please delete it and notify us. If this message was 
misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not 
waive any confidentiality or privilege. CS retains and monitors electronic 
communications sent through its network. Instructions transmitted over this
system are not binding on CS until they are confirmed by us. Message 
transmission is not guaranteed to be secure. 
==

RE: [ActiveDir] Secure DHCP

2005-05-16 Thread Charlie Kaiser 
At the lower layers of the OSI stack, the only way I'm aware of to block
computers from getting an IP address is to use port-based authentication
if your network hardware supports it. As Al mentioned, quarantine
networks are becoming a more realistic solution, but don't address the
basics of DHCP.
Using IPSec to ensure only trusted computers can get access to resources
is a decent solution as well; the rogue PC can get an address, but
cannot connect to anything except perhaps the internet. Not simple to
set up, though...

Hmmm. Maybe we can develop a power over ethernet solution. Run 220V AC
through the ethernet cables and put a high-pass filter on the legit
machines. Then, if someone plugs a rogue laptop into the network, the
laptop gets a little hot... :-)

**
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
> Sent: Monday, May 16, 2005 7:00 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Secure DHCP
> 
> I am wondering if there is any way to secure DHCP from 
> assigning leases to PCs that are not authorized on the 
> domain. I imagine that this is not possible since, in order 
> to authenticate, a PC needs an IP address.
> 
> The problem is that the other day we had a rogue PC plug into 
> our network and, though probably coincidental, our browse 
> list was messed up afterwards. So I have been tasked with 
> finding out if there is a way to prevent unauthorized PCs 
> from obtaining IP leases on our network (other than disabling 
> all jacks not in use, which is what we will be doing). If 
> not, does anyone have any suggestions on how to prevent the 
> above situation in the future?
> 
>  
> 
> _
> 
>  
> 
> Daniel DeStefano
> 
> PC Support Specialist
> 
>  
> 
> IAG Research
> 
> 345 Park Avenue South, 12th Floor
> 
> New York, NY 10010
> 
> T. 212.871.5262
> 
> F. 212.871.5300
> 
>  
> 
> www.iagr.net  
> 
> Measuring Ad Effectiveness on Television
> 
>  
> 
> The information contained in this communication is 
> confidential, may be privileged and is intended for the 
> exclusive use of the above named addressee(s). If you are not 
> the intended recipient(s), you are expressly prohibited from 
> copying, distributing, disseminating, or in any other way 
> using any of the information contained within this 
> communication. If you have received this communication in 
> error, please contact the sender by telephone 212.871.5262 or 
> by response via e-mail.
> 
>  
> 
>  
> 
> 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Secure DHCP

2005-05-16 Thread Al Mulnick 



One way that might work for you is to create a quarantine 
network similar to what is used for VPN access.  To get connected a user 
has to meet certain criteria before being allowed on the trusted network 
(where a browse list could be used/modified etc).  Some criteria might be a 
successful authentication (that would be a little odd though if they were in a 
DMZ type network), valid certificate, etc.  This is more commonly used for 
wireless users from what I've seen, but it can be a similar process with 
desktops, laptops, etc.  This can also work with switching/network 
equipment but it's fairly new to the scene IIRC.
 
I want to say that companies like Cisco, Microsoft, IBM and 
so on are working on technologies to solve just that problem.  Had a nice 
airport conversation with an IBM rep talking about Cisco and Tivoli integration 
for similar functionality.  
 
As for using DHCP as the authentication I've not heard of, 
nor can I think of a way to do that off the top of my head.  Lilke you 
said, the IP is required to even converse with any mechanism.  

 
This would be a good thing to investigate, because even if 
you disable the jacks not in use, that won't be as effective in preventing rogue 
machines; they could just unplug a machine for example.  Won't help with 
wireless either I suspect. 
 
Al


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dan 
DeStefanoSent: Monday, May 16, 2005 10:00 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Secure 
DHCP


I am wondering if there is any way 
to secure DHCP from assigning leases to PCs that are not authorized on the 
domain. I imagine that this is not possible since, in order to authenticate, a 
PC needs an IP address.
The problem is that the other day we 
had a rogue PC plug into our network and, though probably coincidental, our 
browse list was messed up afterwards. So I have been tasked with finding out if 
there is a way to prevent unauthorized PCs from obtaining IP leases on our 
network (other than disabling all jacks not in use, which is what we will be 
doing). If not, does anyone have any suggestions on how to prevent the above 
situation in the future?
 
_
 
Daniel DeStefano
PC Support 
Specialist
 
IAG 
Research
345 Park Avenue 
South, 12th 
Floor
New 
York, NY 10010
T. 212.871.5262
F. 212.871.5300
 
www.iagr.net
Measuring Ad Effectiveness on 
Television
 
The information contained 
in this communication is confidential, may be privileged and is intended for the 
exclusive use of the above named addressee(s). If you are not the intended 
recipient(s), you are expressly prohibited from copying, distributing, 
disseminating, or in any other way using any of the information contained within 
this communication. If you have received this communication in error, please 
contact the sender by telephone 212.871.5262 or by response via 
e-mail.