Locking down network, allow only approved mac addresses?

[starscream]

Couldn't find an answer to this when searching but my searching techniques leave a lot to be desired so if anyone could point me int he right direction to a post or offer some help it woudl be appreciated...

I have my domain controller (server 2003) set up as the DHCP server. Now in an attempt to lock down our network I wanted to somehow set it so that the DHCP server only assigns ip addresses to an allowed list of MAC addresses so no rogue wireless or wired computers can access the network unless added to this list.

This would protect us from anyone hacking into wifi points and any rogue machines plugged intot he netowork. Also means all machines connected to the network have my permission to be connected and nothing that hasnt been virus checker or prepared for the network will have access.

I am positive that most of you will have a similar solution set up and I wondered if it was possible without 3rd part software.

Again apologies if this is a repeated post as I swear I have seen a post like this before but can't find it.

Any other suggestions for locking down our network would be appreciated also!

Many thanks!

Busy busy monday!

[OutToLunch]

The only 'quick' way I can think of to do it without third party software would be to manually add reservations by MAC address - off the top of my head, I don't think you can add a pool of MAC addresses which are allowed to get IPs via DHCP. I stand ready to be connected though!

[Geoff]

Yes, that'll work. But it's a flawed solution. There's nothing stopping people either:

a) spoofing a working mac address
b) sniffing network traffic and working out your network settings. Then configuring themselves manually.

There are several other ways of doing this:

a) IPSec, but you need PKI set up correctly and there's a system overhead for all the encryption/decryption you'll be doing.
b) 802.11X, but you need switches that support it and a radius server.
c) Packetfence, but you need to know *nix (or be able to run VMWare images).

A cheap and easy way to cut down on possible abuse is to simply leave unconnected endpoints disconnected at the switch cabinet.

[starscream]

I suppose this would be sufficient. It is only a primary school and it woudl just be so that non prepared machines would not have network access until I allow them. I would have to rely on my wireless security to prevent external machines connecting

[Geoff]

As for wireless, you can usually do 802.11X (Wifi calls it Enterprise WPA usually). Failing that WPA-PSK with a long/complex password is sufficient.

[starscream]

So do I need to turn off DHCP and assign static ip addresses to each MAC? Cos surely if I just add reservations for the mac addresses of allowed computers other computers can still connect to the dhcp server?

[ITWombat]

So do I need to turn off DHCP and assign static ip addresses to each MAC? Cos surely if I just add reservations for the mac addresses of allowed computers other computers can still connect to the dhcp server?

You don't need to turn DHCP off just make sure thtat all allowed MACs get reserved addresses and that there is no free pool of addresses.

As Geoff implies this merely security through obscurity. A knowledgeable person won't be stopped from connecting just slightly inconvenienced.

[enjay]

On our network, I've blocked set all IPs which aren't required into an exclusion range, so if a device connects, the DHCP server will tell it there aren't any free IPs. Of course, this doesn't stop people connecting with PCs which have valid IPs configured manually, so when I have a few hours to spare, I will go through each of the "free" IPs setting reservations on them.

I've also disconnected all redundant network points at the switch.

[ITWombat]

On our network, I've blocked set all IPs which aren't required into an exclusion range, so if a device connects, the DHCP server will tell it there aren't any free IPs. Of course, this doesn't stop people connecting with PCs which have valid IPs configured manually, so when I have a few hours to spare, I will go through each of the "free" IPs setting reservations on them.

How? Each reservation needs a MAC, so if you've used them already...
As for the manually configuref machines won't ask for an address so won't be bothered about resevation.

[enjay]

Each reservation will need a MAC, you're right - but it won't take very long to type them in for the 100 or so spare IPs in our range.

I was under the impression that if an IP had a reservation against it, a different MAC address wouldn't be allowed to connect using that IP...

[Geoff]

I was under the impression that if an IP had a reservation against it, a different MAC address wouldn't be allowed to connect using that IP...

That's correct. However you have two problems unsolved:

1) People spoofing MAC addresses.
2) People manually configuring their networking.

Which is the situation starscream was in at the start of the thread....

[enjay]

1) I can cope with that risk here - it's not 100% secure, but it's more secure than doing nothing (and probably more secure than most other networks!).
2) Again I say, if the IPs all have reservations against them, then a manually-configured PC wouldn't connect. Would it?

[Geoff]

Again I say, if the IPs all have reservations against them, then a manually-configured PC wouldn't connect. Would it?

Yes it would, it doesn't care what the DHCP server thinks as it never talks to it. Plus the DHCP server has no mechanism to shut down the rogue machine.

[enjay]

Again I say, if the IPs all have reservations against them, then a manually-configured PC wouldn't connect. Would it?

Yes it would, it doesn't care what the DHCP server thinks as it never talks to it.

In which case I won't bother with the reservations! Thanks, you've saved me some time :-)

[bossman]

Have found this thread here: http://www.securityfocus.com/archive...0/390/threaded

Makes for good bedtime reading enjoy