Fair enough. We're a school with all kinds of little hoodlums running around :)
I still think something like domain isolation and optionally 802.1x is a more scalable solution, though mac filtering could be pretty automated too. From: Michael B. Smith [mailto:[email protected]] Sent: Tuesday, February 21, 2012 2:01 PM To: NT System Admin Issues Subject: RE: Limiting DHCP My understanding is that this is for "inside the office". Once a bad guy has physical access, it's all over anyway. This is to prevent "consultants, salesmen, etc." from just being able to plug into an arbitrary wall jack. I would consider the risk acceptable for most office environments. From: Crawford, Scott [mailto:[email protected]] Sent: Tuesday, February 21, 2012 2:11 PM To: NT System Admin Issues Subject: RE: Limiting DHCP How effective do you find this to be given the relative simplicity of spoofing a MAC. I understand most users won't know how, but most bad guys will and they're the ones to be worried about. From: Michael B. Smith [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Tuesday, February 21, 2012 12:27 PM To: NT System Admin Issues Subject: RE: Limiting DHCP Oh. I would probably do it with MAC address filtering. From: Kennedy, Jim [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Tuesday, February 21, 2012 1:15 PM To: NT System Admin Issues Subject: RE: Limiting DHCP I think they are saying...since guests now have wireless access I want to completely stop them from plugging into our regular network with a patch cable. From: Michael B. Smith [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Tuesday, February 21, 2012 12:55 PM To: NT System Admin Issues Subject: RE: Limiting DHCP Isn't the DMZ a separate network segment? It should be.... From: Evan Brastow [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Tuesday, February 21, 2012 12:35 PM To: NT System Admin Issues Subject: Limiting DHCP Hi all, I've recently set up a wireless router in the DMZ on our firewall. This will allow consultants, salesmen, etc... to have a connection to the Internet when they come in, with no connection to our network. Now, however, in order to take the final step in this process and be sure someone can't just plug into a network port, it would seem I need to do one of two things: 1) Stop our DHCP server and give all network devices (less than 50 or so) static IP's. or 2) Restrict DHCP to only listed MAC addresses. So, my questions are - which of these two would be easier (does it really make much difference?) or is there a third option I don't see? Thanks, as always :) Evan ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
