I'm still confused. Are the visitors plugging into the wired network getting IP addresses from the Cisco wireless router? If so, why can't FW rules between your DMZ and internal network stop this?
Alternatively, if there's a separate DHCP on your internal network, and your visitors are (potentially) getting IP addresses from that, then the DMZ+Cisco router is irrelevant. You'd still have this problem even if you turned that WAP off. For the latter scenario, you can use MAC reservations to stop visitors getting an IP address from your DHCP server, but it doesn't stop them configuring a static IP address and thus gaining access to your network. Instead, you can implement security at the switch port layer (802.1x) to prevent unauthorised machines sending traffic beyond the switch port, or you can implement security at all your network resources (e.g. IPSec aka Domain Isolation) that would prevent unauthorised machines connecting to your servers. Cheers Ken From: Evan Brastow [mailto:[email protected]] Sent: Wednesday, 22 February 2012 3:19 AM To: NT System Admin Issues Subject: RE: Limiting DHCP Hi guys, Thanks for all of the replies. I appreciate them. I don't have an internal wireless network at this point. All networked machines within the company are wired. The wireless network for the consultants, etc... is in the DMZ on the firewall, so there's no interference with our network. The Cisco wireless router will handle DHCP for those people using the wireless network. And yes, the purpose of my question was to rule out people plugging into a port anywhere and gaining access to the network. DHCP reservations with MAC filtering does seem to be the best way to go :) Thank you all for your help! Evan From: Kennedy, Jim [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Tuesday, February 21, 2012 1:27 PM To: NT System Admin Issues Subject: RE: Limiting DHCP Yea, don't do static's. It will haunt you sooner or later. DHCP reservations for existing stuff, then an exclude from the scope for all the unused addresses. You can real quick turn off that exclude when you get new devices until they get an address....then you can easily create a reservation for them and redo the exclude. From: Jonathan Link [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Tuesday, February 21, 2012 1:01 PM To: NT System Admin Issues Subject: Re: Limiting DHCP Changing to static IPs requires you touch every machine. Yuck. Going with option #2, I'm assuming you mean reservations, is pretty easy to implement, as you have all that information available via the DHCP console. So, it's easy to make the change there, and workstations/users won't be any the wiser. However, as you add new equipment, you'll have to get the MAC address from that equipment and put it into the DHCP snap in,to get an IP address. Also, changes you make the DNS will be easy to implement in the future, as those changes are also made in the DHCP snap-in. On Tue, Feb 21, 2012 at 12:34 PM, Evan Brastow <[email protected]<mailto:[email protected]>> wrote: Hi all, I've recently set up a wireless router in the DMZ on our firewall. This will allow consultants, salesmen, etc... to have a connection to the Internet when they come in, with no connection to our network. Now, however, in order to take the final step in this process and be sure someone can't just plug into a network port, it would seem I need to do one of two things: 1) Stop our DHCP server and give all network devices (less than 50 or so) static IP's. or 2) Restrict DHCP to only listed MAC addresses. So, my questions are - which of these two would be easier (does it really make much difference?) or is there a third option I don't see? Thanks, as always :) ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
