• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

DHCP > Blocking MAC Addresses

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Networking

View previous topic :: View next topic  
Author Message
webmonster
Just Arrived
Just Arrived


Joined: 26 Aug 2005
Posts: 0


Offline

PostPosted: Thu Oct 20, 2005 11:31 pm    Post subject: DHCP > Blocking MAC Addresses Reply with quote

Here's the problem, I don't want to turn off DHCP - but, I'd like to be able to block certain systems from obtaining an IP from it based upon their MAC address. Can this be down without any additional software?

Also, if I do decided to disable DHCP, will systems setup for a reservation still be able to obtain their IP?

Thanks.
Back to top
View user's profile Send private message
ryansutton
Trusted SF Member
Trusted SF Member


Joined: 25 Aug 2004
Posts: 67
Location: San Francisco, California

Offline

PostPosted: Fri Oct 21, 2005 12:05 am    Post subject: Re: DHCP > Blocking MAC Addresses Reply with quote

webmonster wrote:
Here's the problem, I don't want to turn off DHCP - but, I'd like to be able to block certain systems from obtaining an IP from it based upon their MAC address. Can this be down without any additional software?


That depends on what you are currently using; a router, a server, a switch?
Back to top
View user's profile Send private message
webmonster
Just Arrived
Just Arrived


Joined: 26 Aug 2005
Posts: 0


Offline

PostPosted: Fri Oct 21, 2005 12:13 am    Post subject: Reply with quote

T1 to a router, router to a switch. Hub off the switch for dirty connections. Any thing else on that switch is going through a smoothwall system and is behind the firewall - this includes the DHCP server.
Back to top
View user's profile Send private message
AdamV
SF Mod
SF Mod


Joined: 06 Oct 2004
Posts: 24
Location: Leeds, UK

Offline

PostPosted: Fri Oct 21, 2005 1:44 am    Post subject: Reply with quote

why? do you definitely have a list of all the MAC addresses which could possibly try to get an address from you for malicious purposes (like the guy who plugs a laptop into a socket in one of your meeting rooms while waiting for an interview)?

short answer - not really.

Rather than refuse to give them an address, you could sort of quarnatine them:
One way round it if you do think you have a reasonably definitive list would be to create a second scope which is in a different subnet, and make sure you don't provide DNS as part of the scope options either (and make sure the other scope has these options at scope level not server).
Then create bogus reservations for these devices. They will then get an address but won't be able to connect to anything in your normal LAN, and the gateway you give them will also be bogus so they can't connect to your router. (NB: don't try to give them 127.0.0.1 as a gateway, that will have the effect of making it send any traffic for another subnet to the local address. This ought to mean it goes nowhere, but I have seen NICs interpret this as "send it out of the default interface and hope for the best")
Back to top
View user's profile Send private message Visit poster's website
icujc
Just Arrived
Just Arrived


Joined: 21 Apr 2005
Posts: 2


Offline

PostPosted: Fri Oct 21, 2005 3:21 am    Post subject: Reply with quote

This doesn't have to be done strictly with a DHCP scope... If your using Cisco managed switches you may be able to use VLAN Management Policy Server (VMPS). I have just recently set up some 3550 cisco switches to get it's dynamic VLAN configurations from a Linux OpenVMPS server. Pretty cool little project and I can vouch that this is pretty easy to configure. You didn't say what type of switches were on your network, so I thought I would suggest it or atleast bring it up. But remember MACs can be spoofed and this is just a layer 2 security mechanism. This should not be your only defense but it is a good start.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Networking All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register