Re: DHCP and rejecting at the gateway
From: P Gentry (rdgentry1_at_cablelynx.com)
Date: 03/26/04
- Next message: at: "Re: Avoid Xandros 2.0"
- Previous message: Bill Unruh: "Re: DHCP and rejecting at the gateway"
- In reply to: Duke: "DHCP and rejecting at the gateway"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: 25 Mar 2004 17:49:05 -0800
"Duke" <DontSpamMedukes909@PleaseYahoo.com> wrote in message news:<1066eg7rjcr3293@corp.supernews.com>...
> Have an NT server configured as a DHCP server for our work LAN, and a Linux
> smoothie as the gateway/NAT. Lately, even with a company policy stating not
> to, people are bringing in their personal laptops (and PC's even), and
> plugging into the network, grabbing all they can off the internet like they
> won a supermarket sweep, and taking them back home. I notice from logs that
> it's particularly bad on the weekends with spikes in traffic from these
> non-company pc's
>
> If I see it happening in the daytime, I can manually reject traffic with a
> "route add -host x.x.x.x reject". It's not pretty, but it works and then I
> wait for the phone call 10 minutes later.
>
> My question is: would it be a bad thing to just reject all traffic from all
> (internal) hosts except those listed on my DHCP server? Can I get a list of
> those addresses from NT back to the smoothie easily? Is there a better way?
>
> Thanks,
> Duke
> Take out dontspammeplease for direct replies.
Wouldn't it be better simply _not_ to hand out DHCP configurations to
these interlopers in the first place? Can't you set up the server to
require DHCP requests to include client_id or something to verify the
legitimacy of the request?
Any filtering at the fw/gw just imposes overhead on _all_ traffic --
not to mention the fun of maintaining it.
Try to understand _why_ they are doing this and see if you can come up
with a way to accommodate them at least part way. Removing the
incentive to break the rules makes everyone's life easier --
especially yours!
You might also try running arpwatch on the Linux box (man arpwatch)
to monitor and syslog/email you of any MAC->IP pairing changes --
assuming you're not handing out IPs randomly from a pool -> you
wouldn't be doing that in a "controlled" environment, would you?
Anyway, if they have unmonitored access to the LAN, you're fighting an
uphill battle. If they are willing to bring in PCs to hook up, surely
they will just "escalate" when you throttle them at the fw/gw by
noting the "legit" range of IPs and statically configuring the
interloper -- which will eventually be a (dual boot) Linux powered
box.
If the clients are Win machines you might need to look into setting up
a domain controller or some other mechanism to authenticate the
machines on the LAN. So long as "they" think there is an easy way to
get around your roadblocks, they will keep trying until someone really
"breaks" something from ignorance -- in the middle of your vacation,
of course.
my2c's
prg
email above disabled
- Next message: at: "Re: Avoid Xandros 2.0"
- Previous message: Bill Unruh: "Re: DHCP and rejecting at the gateway"
- In reply to: Duke: "DHCP and rejecting at the gateway"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
