Protecting network from DHCP Server releases address to unwanted computers

Posted on 2012-08-29
Medium Priority
Last Modified: 2012-09-02
I would like to prevent unwanted computers to get IP address from my DHCP server if it was conected to my switch or any cable in my network.

I would like to allows only computers from my company to get IP address from my DHCP server, because today if someone connects to a network cable on my network it will be automatically conected on my netword.

In my researchs on internet I found maybe Radius could help me in prevent this kind of behavior on my network.

Another thing that I want to prevent is a computer with a clone MAC address to be connected on my net.

There´s a way that it´s not too expensive to achieve this ?


Question by:jrthurler

Expert Comment

ID: 38347521
There are several methods you could employ. It would be helpful to know what the environment is...what OS/version is DHCP running on, is there a domain, etc.
LVL 11

Expert Comment

ID: 38347522
There is an addon for microsoft dhcp that either allows or denies based on mac address. Forget what its called.
LVL 26

Accepted Solution

pony10us earned 1000 total points
ID: 38347524
Are you running managed switches? if so then you can use port security. This will NOT prevent a clone MAC address from connecting however it would make it very difficult.

Another option is to use DHCP reservations with a tight range. This would face the same issue with a cloned MAC address but would be easier to connect.

Following on the managed switch theme you should disable all ports that are not in use preventing a machine from connection simply by connecting to an empty port.

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.


Assisted Solution

NetExpert_pl earned 1000 total points
ID: 38347823
You could use a MAC authentication in switches (if supported). It uses a RADIUS server to allow only "your" MAC addresses to connect.

You can make reservations for all IP addresses in a range. Some would be valid for your users and others set to a non existing MAC addresses. There would be no IP addresses left to lease.

Both solutions rely on MAC addresses. A changed MAC address could be allowed access.

You could use a Web authentication in switches (if supported). When a user connects to the switch and opens a Web browser, the switch automatically presents a login
page. The user then enters a username and password, which the switch
forwards to a RADIUS server for authentication. Users will hate you for that ;-)

Expert Comment

ID: 38347844
Of course any computer with a manually assigned IP address will access the network if you choose to use reservations.

Author Comment

ID: 38347904
The only way that I have to just allow authorized computers in my network is using SmartCard authentication ?
LVL 26

Expert Comment

ID: 38347968
Using Port Security on a managed switch:

1. You Limit the number of devices that can connect to a port
2. The first device to connect to that port will register it's MAC
3. Any other device (over the number allowed) that attempts to connect without the same MAC will shut the port down
4. Port's not actively being used should be shut down

If a rouge device connects to an empty port and it is shut down it doesn't work
If a rouge device connects to a port by unplugging one device and plugging into that same port and it doesn't have the same MAC address it will shut down that port

The only way a rogue device will connect would be to get the MAC address from another device that is active on the network. Since they wouldn't have network access yet it would require physical access.  Then change the MAC on the rogue device, unplug the active device and plug into the same port.  

Port security is extremly effective except it does raise the work level of IT when a computer is moved.

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses
Course of the Month16 days, 20 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question