Re: [MLUG] Securing the corporate network

Wed, 11 Aug 2010 09:44:34 -0700 

Hej hej,
         Others may not agree with my opinion however here is what I do...  

On Aug 11, 2010, at 11:48 AM, David wrote:

> Here is what  I have to work with:
> - the MACs of the company workstations/laptops/Voip phones
> - Switches are 3Com Baseline 2924-pwr Plus 
> (http://support.3com.com/infodeli/tools/switches/baseline/3Com_Baseline-Switch-2924-PWR-Plus_User-Guide.pdf)
> - IPs are assigned via dhcp (ISC dhcpd).  Some equipment gets fixed IPs, 
> but workstations and voip phones are plain dhcp.

I dont know about ISC, but using dhcp3 you can server unknown MACs the "elvis 
network".  

DHCP3 idea ( there are a lot of options not mentioned, geeks can get around 
this )
        First you need to know every MAC ( you can assign then fixed ip's, if 
you use the firewall to help* ) 
        Second place   "deny unknown-clients;" in the "known host" subnet
        Third make an "elvis network" and give it a false route and IP range

        *Finally if you have given all of the devices static addresses, make a 
firewall rule only allowing the list of known IPs ( keep the IPs close it'll be 
easier )



IIRC it should look something like this,

# known hosts
# here we give valid IPs
subnet  10.10.1.0 netmask 255.255.255.0 {
        deny unknown-clients;
        host   voip      { hardware ethernet 00:11:11:11:11:10; fixed-address 
10.10.1.20;}
        host   printer   { hardware ethernet 00:11:11:11:11:11; fixed-address 
10.10.1.21;}
        ...
}

# elvis  ( have switched ignore the IP )
# here we furnish IPs that the switches with ignore or quarantine 
subnet  127.0.0.1 netmask 255.255.255.0 {
        option broadcast-address     127.0.0.255;
        option routers               127.0.0.1;
        allow unknown-clients;

}


Helde
Hro



> I stopped assigning static ips to the workstations and voip phones 
> because it was becoming a pain to manage at 100+.  However, I'm starting 
> to wonder if I should assign all known mac addressed to a fixed range, 
> and assign a second range by dhcp.  Then when an unknown client "plugs 
> in", they will get an IP in the dhcp range, which I should be able to 
> block at the switch.

Here I suggest LDAP.
        DHCP and  LDAP still doesn't work out of the box that cleanly, however 
it will make your life easier in the long run :)

I use it for autofs, dhcp, email user  web ssh auth, etc...


Cheers!
dale



_______________________________________________
mlug mailing list
[email protected]
https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca

Reply via email to