How easy it is depends on your routing & switching infrastructure - the equipment you have and how it's arranged.
A lot of modern switches can filter packets based on IP number, IP protocol (TCP vs UDP vs GRE vs ...), TCP/UDP port number, etc. Current Cisco L3 switches - 3560, 3750, the modular Catalyst 4500 Catalyst 6500 - can definitely do it, and I'm pretty sure some of the L2 switches can as well (I'm specifically thinking of the 2960 series here). If you had such a switch you could have it filter UDP ports 67 (DHCP server) and 53 (DNS) going to end-user machines. John Hornbuckle wrote: > The Auditor General's office has asked us how we prevent the > introduction of unauthorized DHCP/DNS servers on our network. > > Well, we kinda don't. > > How do you guys accomplish this? From the research I've done, there's > no easy way to do it. -- Phil Brutsche [email protected] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
