DHCP query
Hi
Senario - DHCP leases IP to unknown machine on network, this said machine then infects all other PC's on netowrk.
How is this avoided on your network, or how would you go about avoiding it if this happened on your network
Lee H
Senario - DHCP leases IP to unknown machine on network, this said machine then infects all other PC's on netowrk.
How is this avoided on your network, or how would you go about avoiding it if this happened on your network
Lee H
.
Comments
-
dynamik Banned Posts: 12,312 ■■■■■■■■■□
-
undomiel Member Posts: 2,818It isn't DHCP's fault that a machine it leased an address to is doing unscrupulous things on your network. It isn't DHCP's job to police that. You'd basically have to reserve each address in DHCP to use DHCP to prevent that rogue computer. Which then makes DHCP pointless. Might as well use static IPs.
So how do you prevent this? Good virus protection for one. Setting up a NIDS/NIPS with good sensor placement would also work with this. Making sure you have good physical security so that unknown machines don't hook up to your network. Making sure you don't have hot ports available is something else. Just provision them on an as needed basis. No one of these is perfect for avoiding the scenario you describe but a combination can make a very powerful force against rogue machines.Jumping on the IT blogging band wagon -- http://www.jefferyland.com/ -
darkerosxx Banned Posts: 1,343If you're using all microsoft clients, use Network Access Protection, set up a quarantine network, and require all DHCP clients to be quarantined if they don't meet antivirus and update restrictions.
OR
Since you mentioned a "unknown machine", set up login security so no one can get an address on the network without logging in. -
tiersten Member Posts: 4,505As dynamik said, port security. It won't even be able to connect to the network.
-
sprkymrk Member Posts: 4,884 ■■■□□□□□□□undomiel wrote:Which then makes DHCP pointless. Might as well use static IPs.
For the first time in many months I will disagree with you, undomiel. But only with your last 2 sentences of this paragraph.
Using reservations is all done from a single point - the comfort of your workstation or server, as opposed to being out on the floor wherever the client PC's exist. Also, with hard coding IPs you also need to hard code all the other IP information such as DNS, Gateway, WINS, etc. With reservations in DHCP you create the scope once, then all you need to do is input a MAC address. Need to change or add a DNS server? Don't go to every PC like you would have to if you hard code everything, just modify the scope once and you're done.
Everything else in your first paragraph and everything in your second are 100% spot on.All things are possible, only believe. -
wagnerbm Member Posts: 38 ■■□□□□□□□□I would have to agree with tiersten. We use port security and it is great. You would be amazed at what people try to plug into the network.
-
tiersten Member Posts: 4,505wagnerbm wrote:I would have to agree with tiersten. We use port security and it is great. You would be amazed at what people try to plug into the network.
-
astorrs Member Posts: 3,139 ■■■■■■□□□□Yup, then you get to deal with 802.1x just to keep those "smart" users at bay...
-
dynamik Banned Posts: 12,312 ■■■■■■■■■□They'd have to spoof the mac address on the AP in order to circumvent port security.
-
darkerosxx Banned Posts: 1,343darkerosxx wrote:If you're using all microsoft clients, use Network Access Protection, set up a quarantine network, and require all DHCP clients to be quarantined if they don't meet antivirus and update restrictions.
OR
Since you mentioned a "unknown machine", set up login security so no one can get an address on the network without logging in.
Forgot NAP was extended to mac and linux clients. Your question is answered, sir! lol, but seriously, that's one of a ton of ways you could do it and that's the way I would if I had the money/time/hardware. -
undomiel Member Posts: 2,818sprkymrk wrote:For the first time in many months I will disagree with you, undomiel. But only with your last 2 sentences of this paragraph.
I bow to sprkymrk's wisdom.
Shows that I still have a ways to go to make this MCSE more than just paper!Jumping on the IT blogging band wagon -- http://www.jefferyland.com/ -
royal Member Posts: 3,352 ■■■■□□□□□□Reminds me of an environment I worked in. 4 sites all on the same subnet all using static ips and all 500 machines in workgroup mode.“For success, attitude is equally as important as ability.” - Harry F. Banks
-
royal Member Posts: 3,352 ■■■■□□□□□□tiersten wrote:royal wrote:Reminds me of an environment I worked in. 4 sites all on the same subnet all using static ips and all 500 machines in workgroup mode.
Nope, they wanted Exchange/AD deployed in parallel with their existing environment for some odd reason. All I did was plan the parallel environment for 1 week and then one of the other engineers went out and did it.“For success, attitude is equally as important as ability.” - Harry F. Banks -
tiersten Member Posts: 4,505royal wrote:tiersten wrote:royal wrote:Reminds me of an environment I worked in. 4 sites all on the same subnet all using static ips and all 500 machines in workgroup mode.
Nope, they wanted Exchange/AD deployed in parallel with their existing environment for some odd reason. All I did was plan the parallel environment for 1 week and then one of the other engineers went out and did it.
I've never seen anybody get up to 500 machines in workgroups before. Waiting for Windows to enumerate that lot must take forever. -
bighornsheep Member Posts: 1,506sprkymrk wrote:Using reservations is all done from a single point - the comfort of your workstation or server, as opposed to being out on the floor wherever the client PC's exist. Also, with hard coding IPs you also need to hard code all the other IP information such as DNS, Gateway, WINS, etc.
Agree! In fact, it's hard to think of a good reason why you would want static IPs on workstations.
To the OP, with proper DHCP configuration, there is also DHCP snooping which you can configure on your switches, the concept is basically the switch keeping track of authorized DHCP servers and legitimate machines obtaining IP addresses, then recording their locations, and blocking both unauthorized DHCP servers, and MAC spoofing.Jack of all trades, master of none