Solved

How do I stop DHCP giving out IP addresses to anything plugged into the network?

Posted on 2014-09-24
16
759 Views
Last Modified: 2014-09-29
As a technology company which I am fairly new to, we seem to have a free for all attitude to plugging things into the network.  I don't mind the hubs so much but three things I need to get on top of are virtual machines, mobile phones and self-purchased laptops.  The latter is probably the one I need to resolve quickly.  My problem is that anything plugged into our network will get an IP address and get access to certain resources - they have not been configured by me with anti-virus and computer accounts in AD, so my server screams at me with security failures which makes monitoring a nightmare.  I think what I need to do is stop IP addresses being given to the devices above, but I am not sure how to do this.
Please advise.

Thanks
0
Comment
Question by:fuzzyfreak
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2
  • +3
16 Comments
 
LVL 13

Expert Comment

by:Mark Galvin
ID: 40341360
Hi

How big is the network? What is currently giving out DHCP addresses?

Thanks
Mark/
0
 
LVL 19

Expert Comment

by:Kash
ID: 40341366
simple answer would be the disable DHCP and use static IP addresses that way no new device will get an IP address.
0
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 40341370
Or Cisco ISE
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 4

Author Comment

by:fuzzyfreak
ID: 40341400
Network is small, we have about forty users but approximately 200 IP addresses for various devices (desktops, laptops, wireless devices, hubs, switches, VMs, Servers)
It is Windows domain DHCP giving them out.
No way am I going to give out static IP addresses!
I would prefer to simply reconfigure what we already have.
0
 
LVL 19

Accepted Solution

by:
Kash earned 500 total points
ID: 40341418
we use Kerio Control, its not free but its good.

You other option would be to use mac address filtering with strict bind.
0
 
LVL 4

Author Comment

by:fuzzyfreak
ID: 40341424
How do I use MAC address filtering?  Where is this option?
Any idea how much Kerio is?
0
 
LVL 19

Expert Comment

by:Kash
ID: 40341447
http://www.kerio.com/products/kerio-control

I will get you info on MAF later on.
0
 
LVL 13

Expert Comment

by:Mark Galvin
ID: 40341448
MAC Address Filtering - http://technet.microsoft.com/en-us/magazine/ff521761.aspx

Dont use Static. Will cause chaos including IP conflicts. It will also allow an user that has the know how to set their IP statically and then they have access.

You could also look at your network switches. If you set the access there (sorry - not a network engineer so cant advise) then only the devices you have given access to will gbe able to access the network.
0
 
LVL 3

Expert Comment

by:TropicalBound
ID: 40341451
When you find an unauthorized device on your network, create a DHCP reservation with the device's MAC address.  Under 'Configure Options', enter bogus DNS and router info.  They'll still be on your network, but they won't have name resolution or Internet access.

This is a band-aid at best.  Even if you resolve the DHCP issue, you still have to contend with the user's who put a static IP on their device.  Ultimately, you'll need senior management to back you, and institute a corporate policy prohibiting users from connecting personal devices to the corporate network.  Then give the corporate policy teeth.  You'll only have to make an example out of one person before people take the policy seriously.
0
 
LVL 4

Author Comment

by:fuzzyfreak
ID: 40341454
0
 
LVL 19

Expert Comment

by:Kash
ID: 40341679
follow this article >>> http://social.technet.microsoft.com/Forums/en-US/6a4479cd-5567-4a48-b936-251149ae034f/mac-address-filtering-with-windows-server-2008-r2?forum=winserverNAP


the reason being you listed windows 2008 as the server so I presume it is doing the DHCP.
Let me know if otherwise and let us know the name of the router and I will dig the detailed instructions for that.
0
 
LVL 16

Expert Comment

by:vivigatt
ID: 40343712
A simple solution:
Use a DHCP server and allow only reservations, no dynamic IP assignment.
Each new device would need to have its MAC address registered in the reservation pool before it can get an IP address from DHCP.
No need to purchase anything new, simple management...
0
 
LVL 4

Author Comment

by:fuzzyfreak
ID: 40344065
Thank you all for your suggestions, I think simple MAC address filtering is the way to go here for my known devices. But what I need to do is set up a scope that allows those plug and play devices to continue to get out to the Internet (not to the network).  Any ideas here?  Do I set up a new scope?
0
 
LVL 16

Expert Comment

by:vivigatt
ID: 40344339
You need a "guest network". If on WiFi, that's easier, provided that your WiFi router/Access point has the "guest network" feature...
0
 
LVL 4

Author Comment

by:fuzzyfreak
ID: 40344441
I already have a guest network on wi-fi.  No, this is for physical Ethernet connections.
0
 
LVL 4

Author Closing Comment

by:fuzzyfreak
ID: 40349476
I think MAC address filtering is the answer here.  I will raise a new question regarding a "guest" DHCP scope.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

634 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question