RE: DHCP

["Cisternas Marquez, Gonzalo" <gcisternas () cientec com>]

-----Mensaje original-----
De: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
En nombre de John Bailey
> Enviado el: Viernes, 22 de Mayo de 2009 12:53
> Para: Doug McFarland
> CC: security-basics () securityfocus com
> Asunto: Re: DHCP
>
> Doug McFarland wrote:
> > Hi all,
> >
> > I am looking for a way to block any PC that plugs into my network
that 
> > is not authorized to access any network resources-servers, firewalls,

> > etc. Is there a way in DHCP that I can add reservations just for the 
> > PCs that I want to allow the network resources and any other
pc/laptop 
> > that happens to be plugged into the network either doesn't get an IP 
> > address, gets a dummy IP address, or something else? I've heard 
> > Windows Server 2008 can do this, but I'm not sure about 2003. Any
suggestions would be greatly appreciated.
> > Best regards,
> >
> > djm
>
> You can create reservations for every client, sure.  If you have no
addresses in the scope that are not excluded for reservations,
> additional clients will not be able to obtain an IP address.  That has
only limited usefulness, though, as anyone with sufficient clue can
> modify their MAC address to match one of the existing clients and plug
in in its place.  For a Linux user, it's trivial--"ifconfig eth0 hw
> ether xx:xx:xx:xx:xx:xx", and for other OSes it's only somewhat more
difficult.
> John

Hello:

Step 1: create a DHCP server with information about your "registered"
MAC, this server will send IP address and parameters for configure the
*authorized* clients.
Step 2: create a second DHCP server with information about an
nonexistant network (another IP scope), several parameters, and, this is
the important part, a DNS record for a nonexistant server wich route is
found inside your network (lets say an internat machine wich is not
configured), now you can obtain a list for the MAC registered with this
decoy.
Step 3: take as input the *decoy MAC* address list and send to them a
FIN frame every 5 minutes.
Step 4: You can take a look at your firewall interla interface for the
MAC address coming from inside your network. You can sort this list and
remove *authorized* MAC address, according to information actualy keep
from step 1.
Step 5: Add the address that remains in the list of Step 4 and go back
Step 3.

It's done.

I hope this could help.


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff!

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------