Have you considered 802.1x with certificates on the authorized machines ? XP supports it natively, and late model switches should support it. You usually hear about it in the context of wireless, but it works in wired networks too. Just a thought. Dave
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Monday, May 16, 2005 9:59 AM To: [email protected] Subject: RE: [ActiveDir] Secure DHCP I thought about that, but I think it would quickly become cumbersome to manage. Kind of defeats most of the purpose of DHCP. Dan -----Original Message----- From: Cace, Andrew [mailto:[EMAIL PROTECTED] Sent: Monday, May 16, 2005 10:48 AM To: [email protected] Subject: RE: [ActiveDir] Secure DHCP This would require some effort to configure and maintain, but what about using DHCP reservations? This will accomplish the goal of only allowing approved PC's on your network. -Andrew -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Monday, May 16, 2005 9:40 AM To: [email protected] Subject: RE: [ActiveDir] Secure DHCP At the lower layers of the OSI stack, the only way I'm aware of to block computers from getting an IP address is to use port-based authentication if your network hardware supports it. As Al mentioned, quarantine networks are becoming a more realistic solution, but don't address the basics of DHCP. Using IPSec to ensure only trusted computers can get access to resources is a decent solution as well; the rogue PC can get an address, but cannot connect to anything except perhaps the internet. Not simple to set up, though... Hmmm. Maybe we can develop a power over ethernet solution. Run 220V AC through the ethernet cables and put a high-pass filter on the legit machines. Then, if someone plugs a rogue laptop into the network, the laptop gets a little hot... :-) ********************** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ********************** > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano > Sent: Monday, May 16, 2005 7:00 AM > To: [email protected] > Subject: [ActiveDir] Secure DHCP > > I am wondering if there is any way to secure DHCP from assigning > leases to PCs that are not authorized on the domain. I imagine that > this is not possible since, in order to authenticate, a PC needs an IP > address. > > The problem is that the other day we had a rogue PC plug into our > network and, though probably coincidental, our browse list was messed > up afterwards. So I have been tasked with finding out if there is a > way to prevent unauthorized PCs from obtaining IP leases on our > network (other than disabling all jacks not in use, which is what we > will be doing). If not, does anyone have any suggestions on how to > prevent the above situation in the future? > > > > _________________________ > > > > Daniel DeStefano > > PC Support Specialist > > > > IAG Research > > 345 Park Avenue South, 12th Floor > > New York, NY 10010 > > T. 212.871.5262 > > F. 212.871.5300 > > > > www.iagr.net <http://www.iagr.net/> > > Measuring Ad Effectiveness on Television > > > > The information contained in this communication is confidential, may > be privileged and is intended for the exclusive use of the above named > addressee(s). If you are not the intended recipient(s), you are > expressly prohibited from copying, distributing, disseminating, or in > any other way using any of the information contained within this > communication. If you have received this communication in error, > please contact the sender by telephone 212.871.5262 or by response via > e-mail. > > > > > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
