We evaluated this as well and there were only 2 options we found that we
could do:
One was to restrict MAC addresses to the switch port. Thus any other
machine plugged into that port wouldn't work.
The other was to go to a DHCP by MAC environment, so only authorized MAC
addresses would get IP's.
While it would keep accidental abuse at bay (such as a vendor plugging
into our network), since it's trivial to forge a MAC address a
deliberate attack wouldn't be stopped by either option as an attacker
could unplug a system than take over it's identity with his own machine,
and the security improvement may not be worth the administrative
headache.
-----Original Message-----
From: Davy Davidson [mailto:davy_emp@hotmail.com]
Sent: August 25, 2006 1:53 AM
To: focus-ms@securityfocus.com
Subject: IP address assignment problem
Hi,
I have a little problem and seek for ur thoughts, let's assume I'm in a
very
open environment where everyone can very easily try to get his/her
laptop on
the network and IP addresses are assigned by a DHCP server and we are in
a
domain environment, how do I prevent machines that are not part of our
domain to be assigned an IP address?
Thanks
_________________________________________________________________
Don't just search. Find. Check out the new MSN Search!
http://search.msn.com/
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
