From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Sent: Sat 2/4/2006 2:25 PM
To: [email protected]
Subject: Re: [ActiveDir] Getting better control over DHCP
Actually I don't think it was as there's a security issue with
802.1x
wired connections.. (wireless no, wired there's an issue that Slav
and
Steve Riley have discussed)
Let me get a post....
Dean
Wells wrote:
>
>Microsoft uses 802.1x auth. I believe ... as do
many.
>
>--
>Dean Wells
>MSEtechnology
>* Email:
[EMAIL PROTECTED]
>http://msetechnology.com
>
>
>-----Original
Message-----
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED]]
On Behalf Of Susan Bradley, CPA
>aka Ebitz - SBS Rocks [MVP]
>Sent:
Friday, February 03, 2006 8:42 PM
>To:
[email protected]
>Subject: Re: [ActiveDir] Getting better
control over DHCP
>
>Can't this be done with ...what is MS using? Is
it Ipsec and smartcard
>authentication?
>
>You go to Redmond,
stick in a rj45 and unless you have a lovely plastic
>thingy with a chip
you don't get access on corpnet.
>
>
>
>joe
wrote:
>
>
>
>>There is nothing you can do
around a DHCP server that will really help
>>you as you point out. You
simply need to plug into a port, enter any
>>IP address or let one of
the 169 addresses kick in and turn on a
>>sniffer and you start seeing
enough traffic to figure out where to
>>come up with a random IP
address at. All the DHCP server is is a
>>helper, it doesn't give you
network access, it helps you find it. This
>>type of thing needs to be
controlled either at the network level where
>>the switches say, sorry
you can't route packets anywhere but this
>>private secured network or
you need to make all proper network traffic
>>secure with some kind of
tunneling/vpn type tech. The later is quite
>>popular for companies
with wireless, you get on the wireless network
>>and then have to VPN
into the corporate network. That way anyone who
>>compromises the WAPs
still doesn't get anything but a network and all
>>traffic from
everyone properly on the network is encrypted. At best
>>the company
may allow you to surf out to the internet, this is
>>especially good
for companies who have visitors from other companies
>>dropping by
their facilities or are in close vicinity to other
>>companies who may
pick up their WAPs.
>>You really want to start looking into Network
Quarantine//Network
>>Access Protection/etc. It is not a simple whip
out in an hour
>>solution, it will take forethought and possibly
upgrades of network
>>infrastructure and your machines to do it
correctly. But with it you
>>can set specific policy on who gets to get
on the real network and who
>>doesn't, this includes things like domain
membership as well as what
>>software is installed on machines and
virus definition levels or OS
>>fix levels, etc. You write the policy
that the clients have to meet or
>>else they don't get anything but a
dead network.
>>I would recommend going to google, typing in network
quarantine and
>>hit enter. You will almost certainly see several hits
on MS because
>>they have been spending a lot of time and energy the
last 4 or so
>>years working on this stuff and getting all of the right
hardware
>>people together to make a good solution. They had some
preliminary
>>stuff done a couple of years ago that people were really
interested in
>>but started redesigning some of it to make it more
flexible/capable. I
>>expect most of what happens in this space will
most likely fall out of
>>Cisco and
Microsoft.
>>joe
>>--
>>O'Reilly Active Directory
Third Edition -
>>http://www.joeware.net/win/ad3e.htm
