• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1543
  • Last Modified:

restrict DHCP to to mac addresses

Is there a way to restrict issueing DHCP to a set list of MAC addresses?

thanks
phil
0
detox1978
Asked:
detox1978
  • 5
  • 3
  • 3
2 Solutions
 
oBdACommented:
Yes; you can use reservations for the clients that are allowed to receive a DHCP address, then simply exclude the rest of the range.
Once you have reserved the whole scope, you'll have an exclamation mark at the scope in the DHCP manager; this is just to let you know that there aren't any more IP addresses available, but that's what you want.
0
 
detox1978Author Commented:
Thanks for the info, but I'm not sure i understand.  

I have found reservations on my DHCP server.  But i thought reservations were used to remove IP's from a scope, if i associate all my IP's against MAC addresses (i.e. one IP per MAC), is this not defeating the object of DCHP (Dynamic).


Phil
0
 
oBdACommented:
Not really; with reservations , you can make sure that a certain machine gets a certain address. That way, you'll have the advantage of "sort of" static addresses, and still the advantage that you can easily deploy changes through DHCP. Best of both worlds, so to speak.
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
detox1978Author Commented:
i see what you mean.... it would work, and retain alot of the benifit.

Are there any other ways?

0
 
oBdACommented:
Not that I knew of.
0
 
detox1978Author Commented:
doh...

ok will leave post open for another week, incase anyone else knows of a way....

0
 
alimuCommented:
what's your aim? stopping people plugging into your network and getting an address?
The second last paragraph here in the "Threats and Countermeasures" section looks at using MAC addresses to combat the issue http://www.windowsecurity.com/articles/DHCP-Security-Part1.html  what many people don't know is that it's quite simple to change your MAC address (we used to do it for every computer that came into our organisation - don't ask, it was an administrative nightmare), it's also not that difficult for an attacker to change theirs.
0
 
detox1978Author Commented:
Hi alimu,

Thanks for the link.  - it confirms the reservations option oBdA suggested.

Our aim is to stop unauthorised hardware being plugged into the network (i.e. non company hardware - sales reps, auditors etc...).  

we aren't to concern with a hacker who will harvest mac address sent via DCHP broadcasts.  The way i see it, if they will go to that legnth, they will comprimise the system anyway.

Phil
0
 
alimuCommented:
looks like no more takers detox1978..
if you're into a bit more security look at the physical side too - turn off network ports that aren't in use.
cheers!
alimu
0
 
alimuCommented:
sorry about the multiple posts... I just thought of something else (not good news unfortunately)... If you have multiple dhcp scopes, you'll got to setup the dhcp reservations in every scope, you've also got a problem because anyone coming into your network with a static IP address that is within your subnet range is going to be allowed through anyway... dhcp isn't even a factor there.
A possible workaround but with quite a bit of overhead involved, is having an allowed MAC list on your switches.. i.e. this MAC address is the only one allowed to talk through this particular switch port.  I think you can only do this on a per-port basis and you've got management overhead every time someone wants to move desks.
0
 
detox1978Author Commented:
many thanks for your time and suggestions...


i will have to look into third party apps.... as reserving all dhcp IP's isn't an option.


0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

  • 5
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now