Give DHCP a chance.
April 6, 2006 7:57 AM Subscribe
I would like to set up DHCP on our factory wide LAN. But I have some serious reservations. I need it to be secure, and I need to have control of who can get a DHCP license.
What is the best way on a windows server 2000 (soon to be 2003) to set up a controlled DHCP environment.
We are both wired, and wireless, so just saying WEP encryption isn't a solution, as I would want our wired network to be AS secure as the wireless.
Is there a easy way to manage DHCP "liscenses" on a per MAC address basis.
To me, if this is possible it would be the best solution. It would be alot of work at first adding all the MACs of the equipment we have, but once done the maintaince should be minimal.
Also, is it easy to mix a static, and dymanic IP management. We have some equipment that would benefit from static IPs (which is our entire system now) like printers, and scanners and such, but then I would like all the desktops and laptops to be dhcp. We will also be going to a full Cisco IP phone system soon as well, so the DHCP issue is kind of hot right now. I want to do it, but still maintain control.
So any advice you guys have, software suggestions, and solutions are greatly apperciated.
What is the best way on a windows server 2000 (soon to be 2003) to set up a controlled DHCP environment.
We are both wired, and wireless, so just saying WEP encryption isn't a solution, as I would want our wired network to be AS secure as the wireless.
Is there a easy way to manage DHCP "liscenses" on a per MAC address basis.
To me, if this is possible it would be the best solution. It would be alot of work at first adding all the MACs of the equipment we have, but once done the maintaince should be minimal.
Also, is it easy to mix a static, and dymanic IP management. We have some equipment that would benefit from static IPs (which is our entire system now) like printers, and scanners and such, but then I would like all the desktops and laptops to be dhcp. We will also be going to a full Cisco IP phone system soon as well, so the DHCP issue is kind of hot right now. I want to do it, but still maintain control.
So any advice you guys have, software suggestions, and solutions are greatly apperciated.
What Rhomboid said. Also, anyone would be able to just set a static IP on your network and be able to use it without DHCP anyway.
posted by zsazsa at 8:22 AM on April 6, 2006
posted by zsazsa at 8:22 AM on April 6, 2006
If you need your wired network to be secure, then you have to control physical access to the network. That's your first and best line of defense. MAC filtering won't keep out anyone who wants to get in badly enough, since as Rhomboid said it's trivial to get hold of an allowed MAC and clone it.
If you don't have physical control over access to the network then nothing you can do on the network itself will make it secure, period. On the wireless side WEP isn't secure either. It was broken a long time ago and is only marginally better than no encryption at all - as in, it will keep out disinterested people but it's not an obstacle to anyone who wants to get in. So, if you're using WEP and not at least WPA, your wireless network isn't secure either.
Static and dynamic IP mix is simple enough, even the cheapest of home routers usually handle it. I have a WRT54G at home now and it can do full static, static DHCP, and full DHCP.
So, to secure your network, first you must secure physical access to the network. Once the bad guy can plug into it, your security is broken.
posted by Dipsomaniac at 8:24 AM on April 6, 2006
If you don't have physical control over access to the network then nothing you can do on the network itself will make it secure, period. On the wireless side WEP isn't secure either. It was broken a long time ago and is only marginally better than no encryption at all - as in, it will keep out disinterested people but it's not an obstacle to anyone who wants to get in. So, if you're using WEP and not at least WPA, your wireless network isn't secure either.
Static and dynamic IP mix is simple enough, even the cheapest of home routers usually handle it. I have a WRT54G at home now and it can do full static, static DHCP, and full DHCP.
So, to secure your network, first you must secure physical access to the network. Once the bad guy can plug into it, your security is broken.
posted by Dipsomaniac at 8:24 AM on April 6, 2006
if I am a bad guy on your network and I can't get a DHCP lease, I can go in and sniff about and find out what IP range your machines are using and just grab an address anyway. DHCP on its own makes a very poor form of access control. maybe you should look into something like IPsec (wikipedia link - WS2k3 supports it). (actually, I'd probably recommend getting a good book on network security anyway - there's a lot going on there. how much do you know about the topic? I'm kinda curious, as you mentioned WEP but not, say, WPA, which is a good bit more secure.)
to answer your question, the DHCP MMC snapin that you get when you install DHCP on a Windows server will allow you to do everything you want. it is easy to have both static IPs and dynamic IPs on the same network - just segregate them into seperate portions of your IP address space (say, everything from 192.168.1.150 on up is DHCP and everything lower isn't). you can only answer to MAC addresses you know and you might be able to restrict access by GUID, but see what I wrote above about just hard coding an IP address.
posted by mrg at 8:26 AM on April 6, 2006
to answer your question, the DHCP MMC snapin that you get when you install DHCP on a Windows server will allow you to do everything you want. it is easy to have both static IPs and dynamic IPs on the same network - just segregate them into seperate portions of your IP address space (say, everything from 192.168.1.150 on up is DHCP and everything lower isn't). you can only answer to MAC addresses you know and you might be able to restrict access by GUID, but see what I wrote above about just hard coding an IP address.
posted by mrg at 8:26 AM on April 6, 2006
How is controlling who can get a IP lease from DHCP adding to your security? Once an intruder is on your network, they can sniff the traffic and make themselves look like any MAC and IP address anyway (like what Rhomboid said).
What exactly are your reservations? Do you not want employees to bring in unapproved equipment and be able to plug it in and have it work on your network?
I've found it helps to separate the IP space out between the static IP's and the dynamic IPs. For example, all of the equipment with static IP's is on the subnet 192.168.1.x and all of the dynamic IP's are assigned from 192.168.2.x with the appropriate netmask settings so they can talk to each other. The VoIP equpment could be on 192.168.3.x.
posted by gus at 8:26 AM on April 6, 2006
What exactly are your reservations? Do you not want employees to bring in unapproved equipment and be able to plug it in and have it work on your network?
I've found it helps to separate the IP space out between the static IP's and the dynamic IPs. For example, all of the equipment with static IP's is on the subnet 192.168.1.x and all of the dynamic IP's are assigned from 192.168.2.x with the appropriate netmask settings so they can talk to each other. The VoIP equpment could be on 192.168.3.x.
posted by gus at 8:26 AM on April 6, 2006
The only way to really secure your wired network is to physically lock your RJ45 ports with some kind of hasp to keep open ports from being used or something like this (PDF) to keep plugged in cables from being unplugged.
posted by zsazsa at 9:06 AM on April 6, 2006
posted by zsazsa at 9:06 AM on April 6, 2006
Response by poster: Perhaps I over stressed my security concerns a bit too much. Right now our network is not secure, like you said anyone can plug in and use any IP we are currently using and bump stuff off the network and hack away. But it keeps the creeps with no ski11z from doing bad things.
Mainly what I want to prevent is joe blow with no computer knowledge from bringing in their device and hopping on. I know Mr. Evil Hacker is going to get through that. But I don't want anyone with a laptop snagging a free ride.
We are in a small town and outside of town to boot, so my fear of roaming hackers isn't set to high alert (I know its not the best attitude, but..)
Basically it needs to be enabled, I just want to make sure I have at least some measure of control over it.
As soon as I finish my giant book of "MS Access inside and out" I am definatly cracking open a tome or two on network security. One hurdle at a time though.
Any suggestions on the network security books?
Oh, and yes, I meant lease and no liscense. sorry.
posted by Jonsnews at 9:21 AM on April 6, 2006
Mainly what I want to prevent is joe blow with no computer knowledge from bringing in their device and hopping on. I know Mr. Evil Hacker is going to get through that. But I don't want anyone with a laptop snagging a free ride.
We are in a small town and outside of town to boot, so my fear of roaming hackers isn't set to high alert (I know its not the best attitude, but..)
Basically it needs to be enabled, I just want to make sure I have at least some measure of control over it.
As soon as I finish my giant book of "MS Access inside and out" I am definatly cracking open a tome or two on network security. One hurdle at a time though.
Any suggestions on the network security books?
Oh, and yes, I meant lease and no liscense. sorry.
posted by Jonsnews at 9:21 AM on April 6, 2006
When you say 'free ride', what do you mean? Getting an IP address on its own doesn't give them access to any of your network resources. It sounds like you want to stop people from plugging in and surfing the web. If that's the case, you want to secure your firewall, not your ip addresses.
posted by empath at 10:04 AM on April 6, 2006
posted by empath at 10:04 AM on April 6, 2006
imho, doing this through DHCP would be a bigger pain than it'd be worth. a good number of places use netreg to deal with access - you set it up and DHCP gives everyone it doesn't know an IP address on a seperate, restricted network, and then you have to register (using your username and such - in this case, probably your AD account) to have real access. I'm not sure how well it works with a Microsoft-based network, though. it's open source so there may be a version that'll work with MS's DHCP server. you can do it manually too but something like netreg would provide a bit of automation, or at least move some of the burden on maintaining the DHCP databases off of you, depending on how savvy your users are.
you said it was a factory enviroment - the general public isn't allowed to come in really, right? you may want to look into setting up WPA (not WEP) on your wireless network, as that'll help keep people from just parking in the parking lot and picking up signal from there. depending on how many physical network jacks you have deployed, your wired network probably won't be the most of your concern. that combined with netreg or manually managing DHCP would be a decent enough first step, I think. I would additionally tighten up security on whatever servers you have too (disable unused/old accounts, make sure file shares have correct share and file system permissions, etc.), which is a good idea in general anyway.
posted by mrg at 11:49 AM on April 6, 2006
you said it was a factory enviroment - the general public isn't allowed to come in really, right? you may want to look into setting up WPA (not WEP) on your wireless network, as that'll help keep people from just parking in the parking lot and picking up signal from there. depending on how many physical network jacks you have deployed, your wired network probably won't be the most of your concern. that combined with netreg or manually managing DHCP would be a decent enough first step, I think. I would additionally tighten up security on whatever servers you have too (disable unused/old accounts, make sure file shares have correct share and file system permissions, etc.), which is a good idea in general anyway.
posted by mrg at 11:49 AM on April 6, 2006
You can look into using 802.1x to provide authentication for your wired and wireless networks. This does what you want, but it may lean farther towards the security side of security vs. usability than you would like.
posted by joelr at 12:23 PM on April 6, 2006
posted by joelr at 12:23 PM on April 6, 2006
Response by poster: well, the way we are set up, the people who have computers in the factory we want to have web access. How would I get my firewall to stop any newcomers from having web access, while still giving it to the ones I want (which will be having random IP basically from DHCP)?
posted by Jonsnews at 12:28 PM on April 6, 2006
posted by Jonsnews at 12:28 PM on April 6, 2006
Physical security - make sure no-one can tailgate an employee through the doors for instance.
Regulations - have written regulations about net usage, personal hardware, modems, software installation etc. And enforce them.
Beware rogue access points, perform periodic wireless audits.
Maintain a list of valid MAC addresses and sniff ARP traffic (assuming the network isn't switched).
Filter all web traffic using a proxy (address issued by DHCP of course) such as Squid
posted by hardcode at 12:40 PM on April 6, 2006
Regulations - have written regulations about net usage, personal hardware, modems, software installation etc. And enforce them.
Beware rogue access points, perform periodic wireless audits.
Maintain a list of valid MAC addresses and sniff ARP traffic (assuming the network isn't switched).
Filter all web traffic using a proxy (address issued by DHCP of course) such as Squid
posted by hardcode at 12:40 PM on April 6, 2006
I highly recommend the Security Now podcasts (I get them via iTunes) to help with the basic structure and understanding of what it is to be secure. These guys are pretty good and thorough. And the site I link to has transcripts.
posted by inviolable at 4:08 PM on April 6, 2006
posted by inviolable at 4:08 PM on April 6, 2006
This thread is closed to new comments.
That aside, you have to realize that it is trivially easy to change the MAC address of almost any ethernet adapter on the planet. All it takes is one command and a few seconds. So depending on MAC addresses for security is not a good idea. If I am Mr. Bad Guy and I want to get on your network all I have to do is sniff some traffic and look for an allowed MAC address, and then change mine to that. So if security is your goal I think you need to abandon this entire line of reasoning.
posted by Rhomboid at 8:12 AM on April 6, 2006