Re: DHCP security
- From: Juha Laiho <Juha.Laiho@xxxxxx>
- Date: Fri, 4 Aug 2006 12:03:37 +0000 (UTC)
"danielv" <dvhirt@xxxxxxxxx> said:
I currently admin a small network of about 12 clients, all with fixed
ip schemas. Since this network is only growing to include more and more
clients I was thinking of using a DHCP server to handle ip
configuration on new clients. Ive already got that working. But my main
concern is how do you stop a rogue DHCP server from getting on the
network and giving fake information to some clients? And how about
unauthorized clients?
As "Old guy" wrote, you could monitor your network for DHCP responses
originated by other than your official server(s).
As for unauthorized clients, using DHCP doesn't actually change the
situation; there are a few things you could do (depending on your
hardware):
- keep switch ports disabled by default
- when opening switch ports, lock them to a single MAC address
.... but especially the latter of the two tends to be more nuisance than
help. However, a written, approved, and legally binding policy would
be one of the first things to have - just to make everyone in the
company aware that there are rules, and bending/breaking the rules will
not be tolerated. Of course, policy alone isn't enough - but without
a policy any technical obstacle is just an invitation to circumvent it.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)
.
- References:
- DHCP security
- From: danielv
- DHCP security
- Prev by Date: How to get Cisco configuration using SNMP
- Next by Date: Re: syslog server, RH ES 4, large amounts of UDP loss. please help
- Previous by thread: Re: DHCP security
- Next by thread: NFS
- Index(es):
Relevant Pages
|
