DHCP security

[Ed Kasky]

At 01:10 PM Tuesday, 10/9/2007, Ashley M. Kirchner wrote -=>

>    While I realize DHCPd isn't a security program of any kind, this 
> does have to do with it.  So I just switched our entire network 
> over to DHCP assigned IPs in preparation for another project.  But 
> in doing that, I've come to realize that anyone could plug in their 
> machine and manually set their IP address and by-pass the DHCP 
> discovery all together.  And thus also gaining access to our 
> internal network, something we might not necassarily want to 
> allow.  So the question now is, is there some way to restrict 
> traffic to only those assigned IPs (through DHCP) and block 
> anything else that happens to show up on the network?  Maybe 
> through iptables somehow?

Limiting access via mac address is usually done in large wans where 
they don't want just anyone plugging in.  I don't run dhcpd but would 
venture to guess that if you just use static ip's mapped to allowed 
mac addresses, you would have at least that level of security.

I would also check and see how large universities limit access.  I 
have seen it implemented but never bothered to ask how they do it...

HTH

Ed

. . . . . . . . . . . . . . . . . .
Randomly Generated Quote (880 of 1282):
One of the most time-consuming things is to have an enemy.
-E.B. White, writer (1899-1985)