At the lower layers of the OSI stack, the only way I'm aware of to block computers from getting an IP address is to use port-based authentication if your network hardware supports it. As Al mentioned, quarantine networks are becoming a more realistic solution, but don't address the basics of DHCP. Using IPSec to ensure only trusted computers can get access to resources is a decent solution as well; the rogue PC can get an address, but cannot connect to anything except perhaps the internet. Not simple to set up, though...
Hmmm. Maybe we can develop a power over ethernet solution. Run 220V AC through the ethernet cables and put a high-pass filter on the legit machines. Then, if someone plugs a rogue laptop into the network, the laptop gets a little hot... :-) ********************** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ********************** > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano > Sent: Monday, May 16, 2005 7:00 AM > To: [email protected] > Subject: [ActiveDir] Secure DHCP > > I am wondering if there is any way to secure DHCP from > assigning leases to PCs that are not authorized on the > domain. I imagine that this is not possible since, in order > to authenticate, a PC needs an IP address. > > The problem is that the other day we had a rogue PC plug into > our network and, though probably coincidental, our browse > list was messed up afterwards. So I have been tasked with > finding out if there is a way to prevent unauthorized PCs > from obtaining IP leases on our network (other than disabling > all jacks not in use, which is what we will be doing). If > not, does anyone have any suggestions on how to prevent the > above situation in the future? > > > > _________________________ > > > > Daniel DeStefano > > PC Support Specialist > > > > IAG Research > > 345 Park Avenue South, 12th Floor > > New York, NY 10010 > > T. 212.871.5262 > > F. 212.871.5300 > > > > www.iagr.net <http://www.iagr.net/> > > Measuring Ad Effectiveness on Television > > > > The information contained in this communication is > confidential, may be privileged and is intended for the > exclusive use of the above named addressee(s). If you are not > the intended recipient(s), you are expressly prohibited from > copying, distributing, disseminating, or in any other way > using any of the information contained within this > communication. If you have received this communication in > error, please contact the sender by telephone 212.871.5262 or > by response via e-mail. > > > > > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
