Questions

Secure DHCP

Tags:
+
0 Votes
Locked

Secure DHCP

philldmc
I'm running a small network about 90 clients and a few servers, over 100 nodes. My primary server is server 2003 sp2, running DNS and DHCP.

Our company has a policy that unless the company owns the equipment it may not be allowed to access any network resources. With that being said, I recently discovered that an employee was connecting their personal laptop to the network via a wired cable.

The employee was reprimanded for their actions..however this made me think how I can prevent this from happening again. With a little over 100+ nodes I don't want to have to preprogram all the mac addresses into the DHCP.

Wondering what methods you use to prevent users from plugging their personal devices into your network? I can secure the wireless but I'm referring to a wired connection. Any suggestions?
  • +
    0 Votes
    jmarkovic32

    DHCP only hands out an IP address and maybe gateway and DNS addresses for the client machine to connect to the Internet. The user still needs network credentials to access files on the server or connect to the domain.

    I've seen first hand the draconian measures that some companies come up with such as making all IP's static. That's just not scalable. Still, some people want extra security. I say always start with the obvious: Physical security. Why are people just able to walk in with their laptop and just plug it in. Secondly, there's policy. Policy can be enforced from the top down. What does management have to say about personal devices connecting to the network? The last steps you should take are technical ones. If you're on a Windows 2008 domain, there's Network Access Protection. You can use this to quarantine unauthorized computers that try to circumvent company policy.

    +
    0 Votes
    CG IT

    you can use port security which is what we do. only those mac addresses that are allowed on the port can connect, if another not on the list does, the switchport drops all packets [protect mode].

    +
    0 Votes
    philldmc

    Thank you for your response. As mentioned my company does have a policy. However the employee plugged into the extra LAN port in his office. The employee has been reprimanded for thier actions.

    Just wondering set it up that once the DHCP gets a request from a computer for the first time that it request a password for that client to retain the IP or maybe something at the DNS level?

    +
    0 Votes
    oldbaritone

    I'm a fan of DHCP with reservations. It gives many of the benefits of static IP, with centralized management and control - if something changes, you change it once in DHCP and it pushes out to all the clients. But each client gets the same address consistently, which makes troubleshooting and monitoring much easier.

    I reserve a block of addresses (in my case, x.x.x.192 - x.x.x.207) that are for "unknown" devices. I monitor those addresses for (lack of) activity, and investigate when/if something "pops up" on them. With the known block of addresses, it's very simple to create some IPsec rules to block network access from those few addresses.

    One-time, it's some work to put in the IP and MAC addresses. But for only 100 clients, it's not too much; you can use "ARP -a" to retrieve the MAC addresses, and just start adding the reservations. If it takes you a few days, that's no problem; the clients won't even know the difference. When you're done, you'll be able to detect an intruder reasonably well, although there is nothing to stop an intruder on the wire from entering their own static IP. Most aren't savvy enough to do that, though, especially when they get an address from DHCP and everything looks OK.

    +
    0 Votes
    Churdoo

    As others have stated, your answer may not lie with DHCP, and definitely not "solely" with DHCP. DHCP was not designed with nor intended for the task of deciding which devices may or may not gain leases, and I don't blame you for not wanting to manage MAC addy's of a 100-node network. Though ... nice technique OB, and he's right, OB's technique would not take too long to implement nor maintain on a 100-node network. I just want to expand on Arsynic's explanation as I think the answer was very thorough but may have been overlooked.

    Getting back to the discussion about physical access -- you stated that this employee plugged his/her personal laptop into a spare LAN jack in the department. Why is the unused jack even patched into a switch in the distro closet? This is only one of several reasons why unused jacks simply should not be patched into distribution, i.e. jacks should only be patched into distro if they are allocated to an active piece of production equipment. At the distro closet(s), remove the patch cables for all jacks that do not have active production equipment plugged into them.

    You've mentioned that this employee was reprimanded, indicating you have policy and support of management. That's step 2 as Arsynic stated. Good! With respect to IT policy, add the review of DHCP leases to IT policy -- if you have specific naming conventions for your production equipment, it's easy to spot a DHCP lease to "Johnny's IPOD" or "My Laptop" and investigate.

    Lastly, IF an employee is inclined to circumvent the above 2 levels, i.e. physical access and policy, and manages to connect his/her personal equipment, without managed switches that CG commnented about the rogue equipment will gain a DHCP lease. If you have a Windows AD, internal resources are generally protected by domain authentication, and proper audit settings and review of security logs (and DHCP leases stated above) can flag a breach to internal resources. External resources, i.e. internet access, etc. may be protected by a decent edge device. A properly configured internet gateway or threat management gateway (TMG) will deny access of an unauthorized device on the network. Given the protection and blocking of access to internal and external resources, the fact that a rogue piece of equipment may gain a DHCP lease becomes a non-issue.
    --C

    +
    0 Votes

    PKI

    pantamk

    You can configure a CA (Certification Authority). With this component you can issue certificates to users,computers and services. Then only users and computers with certificates can access to your network recourses. You can read about PKI infrastructure on http://technet.microsoft.com/en-us/library/cc787594(WS.10).aspx
    Hope you will resolve the problem

  • +
    0 Votes
    jmarkovic32

    DHCP only hands out an IP address and maybe gateway and DNS addresses for the client machine to connect to the Internet. The user still needs network credentials to access files on the server or connect to the domain.

    I've seen first hand the draconian measures that some companies come up with such as making all IP's static. That's just not scalable. Still, some people want extra security. I say always start with the obvious: Physical security. Why are people just able to walk in with their laptop and just plug it in. Secondly, there's policy. Policy can be enforced from the top down. What does management have to say about personal devices connecting to the network? The last steps you should take are technical ones. If you're on a Windows 2008 domain, there's Network Access Protection. You can use this to quarantine unauthorized computers that try to circumvent company policy.

    +
    0 Votes
    CG IT

    you can use port security which is what we do. only those mac addresses that are allowed on the port can connect, if another not on the list does, the switchport drops all packets [protect mode].

    +
    0 Votes
    philldmc

    Thank you for your response. As mentioned my company does have a policy. However the employee plugged into the extra LAN port in his office. The employee has been reprimanded for thier actions.

    Just wondering set it up that once the DHCP gets a request from a computer for the first time that it request a password for that client to retain the IP or maybe something at the DNS level?

    +
    0 Votes
    oldbaritone

    I'm a fan of DHCP with reservations. It gives many of the benefits of static IP, with centralized management and control - if something changes, you change it once in DHCP and it pushes out to all the clients. But each client gets the same address consistently, which makes troubleshooting and monitoring much easier.

    I reserve a block of addresses (in my case, x.x.x.192 - x.x.x.207) that are for "unknown" devices. I monitor those addresses for (lack of) activity, and investigate when/if something "pops up" on them. With the known block of addresses, it's very simple to create some IPsec rules to block network access from those few addresses.

    One-time, it's some work to put in the IP and MAC addresses. But for only 100 clients, it's not too much; you can use "ARP -a" to retrieve the MAC addresses, and just start adding the reservations. If it takes you a few days, that's no problem; the clients won't even know the difference. When you're done, you'll be able to detect an intruder reasonably well, although there is nothing to stop an intruder on the wire from entering their own static IP. Most aren't savvy enough to do that, though, especially when they get an address from DHCP and everything looks OK.

    +
    0 Votes
    Churdoo

    As others have stated, your answer may not lie with DHCP, and definitely not "solely" with DHCP. DHCP was not designed with nor intended for the task of deciding which devices may or may not gain leases, and I don't blame you for not wanting to manage MAC addy's of a 100-node network. Though ... nice technique OB, and he's right, OB's technique would not take too long to implement nor maintain on a 100-node network. I just want to expand on Arsynic's explanation as I think the answer was very thorough but may have been overlooked.

    Getting back to the discussion about physical access -- you stated that this employee plugged his/her personal laptop into a spare LAN jack in the department. Why is the unused jack even patched into a switch in the distro closet? This is only one of several reasons why unused jacks simply should not be patched into distribution, i.e. jacks should only be patched into distro if they are allocated to an active piece of production equipment. At the distro closet(s), remove the patch cables for all jacks that do not have active production equipment plugged into them.

    You've mentioned that this employee was reprimanded, indicating you have policy and support of management. That's step 2 as Arsynic stated. Good! With respect to IT policy, add the review of DHCP leases to IT policy -- if you have specific naming conventions for your production equipment, it's easy to spot a DHCP lease to "Johnny's IPOD" or "My Laptop" and investigate.

    Lastly, IF an employee is inclined to circumvent the above 2 levels, i.e. physical access and policy, and manages to connect his/her personal equipment, without managed switches that CG commnented about the rogue equipment will gain a DHCP lease. If you have a Windows AD, internal resources are generally protected by domain authentication, and proper audit settings and review of security logs (and DHCP leases stated above) can flag a breach to internal resources. External resources, i.e. internet access, etc. may be protected by a decent edge device. A properly configured internet gateway or threat management gateway (TMG) will deny access of an unauthorized device on the network. Given the protection and blocking of access to internal and external resources, the fact that a rogue piece of equipment may gain a DHCP lease becomes a non-issue.
    --C

    +
    0 Votes

    PKI

    pantamk

    You can configure a CA (Certification Authority). With this component you can issue certificates to users,computers and services. Then only users and computers with certificates can access to your network recourses. You can read about PKI infrastructure on http://technet.microsoft.com/en-us/library/cc787594(WS.10).aspx
    Hope you will resolve the problem