I need to lockdown unused IP addresses so people cannot access the network just by plugging in. The computers have static ip's but if I were to plug my personal laptop into a cable I now have network access and it is pulling an IP from somewhere and that is what I need to prevent.
Asked
Active
Viewed 417 times
4
-
1Physical security of small networks is much easier than NAP. – Chris S Jul 20 '10 at 13:06
-
I suggest also investigating the arpwatch utility if you're using Linux. – MikeyB Jul 20 '10 at 15:08
-
Please tell us a little more about your set up. If your machines have static IP addresses then do you even have a DHCP server? If you do, do you need it? Could you just turn it off? – Justin Ohms Jul 16 '11 at 04:02
3 Answers
3
The strong-armed solution for something like this is 802.1X, where a user has to authenticate to gain access to a network port.
Implementing this is non-trivial.
How large is your userbase? If it's reasonably small (or if you have a good up-to-date inventory of user machines), you can configure your DHCP server to only hand out addresses to known machines.
What are you using for your DHCP server right now?
Matt Simmons
- 20,486
1
If you have DHCP running on a Windows Server 2008 (or R2) you can use DHCP NAP to prevent "rogue users" from obtaining an IP. There are several other ways to secure a network using NAP, including IPSec or 802.1X; and it can be implemented over VPNs as well.
As Matt Simmons pointed out, it's not trivial. See the NAP document from this download page.
0
A simple solution if you are using DHCP with IP reservations, would be to reserve all unused IP addresses to bogus MAC addresses.
Justin Ohms
- 103
- 4