How easy it is depends on your routing & switching infrastructure - the
equipment you have and how it's arranged.

A lot of modern switches can filter packets based on IP number, IP
protocol (TCP vs UDP vs GRE vs ...), TCP/UDP port number, etc. Current
Cisco L3 switches - 3560, 3750, the modular Catalyst 4500 Catalyst 6500
- can definitely do it, and I'm pretty sure some of the L2 switches can
as well (I'm specifically thinking of the 2960 series here).

If you had such a switch you could have it filter UDP ports 67 (DHCP
server) and 53 (DNS) going to end-user machines.

John Hornbuckle wrote:
> The Auditor General's office has asked us how we prevent the 
> introduction of unauthorized DHCP/DNS servers on our network.
> 
> Well, we kinda don't.
> 
> How do you guys accomplish this? From the research I've done, there's
> no easy way to do it.

-- 

Phil Brutsche
[email protected]

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Reply via email to