General discussion

Locked

DHCP & MAC Address security

By public ·
Hey guys, anyone know of a way to use DHCP but not allow it to distribute IP addresses to unknown MACS?

What I'd like to do is register EVERYONE's mac addresses on my network and reserve those macs to permanent ip addresses on the DHCP server.

However, anyone not allowed on the network (home user brings in a laptop, vendor etc), will NOT recieve an IP.

The only way i can figure on how to do this is to tell the DHCP server to serve (lets just say we have 100 users) ip addresses from192.168.1.10 to 192.168.1.110. Each of those IP address (.10 to .110) are reserved to specific MAC addresses. When new users are added, i will just expand the reservations from 110 to 111, 112, 113, etc. That way the DHCP server will NEVER hand out an IP address without matching a MAC on its reservation list.

I was also thinking if adding a "bullshit" scope. If someone does come in and just plugs in an unauthorized laptop or pc, I can have the dhcp server hand out a bullshit IP address and bad dns, wins, and gateway information. Then I'll be able to check the logs to see if that scope of addresses was ever handed out to anyone and what their macs are.

I'm just tossing some ideas for increased security around a bit.

This way you dont have to mess with static IP addresses on the clients. You only have to mess with them once on a centralized DHCP server once.

-public@lipan.org

This conversation is currently closed to new comments.

4 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

One solution

by timwalsh In reply to DHCP & MAC Address securi ...

You actually hit upon the only solution available that meets your needs.

Create a DHCP scope with ONLY enough IP addresses to service your valid clients. Next create a DHCP reservation for each of your clients. A reservation can only be createdby using the client's MAC address. As you've already surmised, this will prevent any "roque" computers from receiving. The downside is that this could become very time intensive for you if you have any rapid growth. It also doesn't allow any leeway for valid "visitors" seeking IP addresses.

You would probably be wasting your time creating the "bs" scope. Although this would tell you (or allow you to discover) 2 things (if in fact there are roque computers "stealing" IP addresses from you; what the MAC addresses of these computers are (through searching the ARP cache on the DHCP server), what you coul do with is info is really academic. You can't trace a computer by it's MAC address (plus it is possible to spoof MAC addresses on some devices). You can't tell where (or how) these roque computers are accessing your network.

Collapse -

Layered Security

by Oldefar In reply to DHCP & MAC Address securi ...

Tim covered the technical aspects in his posting.

You indicate that this is a security measure. I don't know your situation, but unless you are dealing with a very public environment with a need for very tight security, this plan seems like overkill. Are your applications secure? Are you using a secure password approach with a secure card?

The linkage of DHCP to a unique set of MAC addresses not only limits unauthorized equipment from being connected. It adds an additional administrative layer to relocations, to new authorized devices, and to PC maintenance. These all have a time cost associated - both technical staff time and user productivity time.

I would spend my initial security efforts on the applications and domains, and on user rights, before taking the approach you are considering.

Collapse -

Thank you both for your replys.

by public In reply to Layered Security

You both gave me some ideas. Thanks.

-public@lipan.org

Collapse -

What is the purpose?

by blowthrunewbie In reply to DHCP & MAC Address securi ...

If you are assigning ip addresses to MAC addresses, why don't you get rid of DHCP and simply use static ip addressing?

Back to IT Employment Forum
4 total posts (Page 1 of 1)  

Related Discussions

Related Forums