We evaluated this as well and there were only 2 options we found that we could do:
One was to restrict MAC addresses to the switch port. Thus any other machine plugged into that port wouldn't work. The other was to go to a DHCP by MAC environment, so only authorized MAC addresses would get IP's. While it would keep accidental abuse at bay (such as a vendor plugging into our network), since it's trivial to forge a MAC address a deliberate attack wouldn't be stopped by either option as an attacker could unplug a system than take over it's identity with his own machine, and the security improvement may not be worth the administrative headache. -----Original Message----- From: Davy Davidson [mailto:[EMAIL PROTECTED] Sent: August 25, 2006 1:53 AM To: [email protected] Subject: IP address assignment problem Hi, I have a little problem and seek for ur thoughts, let's assume I'm in a very open environment where everyone can very easily try to get his/her laptop on the network and IP addresses are assigned by a DHCP server and we are in a domain environment, how do I prevent machines that are not part of our domain to be assigned an IP address? Thanks _________________________________________________________________ Don't just search. Find. Check out the new MSN Search! http://search.msn.com/ ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
