ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP)

    Scheduled Pinned Locked Moved IT Discussion
    214 Posts 11 Posters 32.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • dave247D
      dave247 @scottalanmiller
      last edited by

      @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

      If security was teh goal, NAC is what is needed.

      As in, on the switches or what? Sorry, please elaborate.

      DustinB3403D scottalanmillerS 2 Replies Last reply Reply Quote 0
      • DustinB3403D
        DustinB3403 @dave247
        last edited by

        @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

        @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

        If security was teh goal, NAC is what is needed.

        As in, on the switches or what? Sorry, please elaborate.

        NAC Network Access Control.

        1 Reply Last reply Reply Quote 0
        • JaredBuschJ
          JaredBusch
          last edited by

          Disabling wall jacks is helpful. But what do you do when someone plugs into a live one. Or unplugs a live one to plug in their device.

          When you start down this route, these are the issues you will encounter.

          NAC sounds like what you actually want.

          Disable DHCP totally get a NAC solution.

          dave247D 1 Reply Last reply Reply Quote 3
          • coliverC
            coliver
            last edited by coliver

            I'm surprised that @scottalanmiller hasn't posted his LAN-Less video yet.

            1 Reply Last reply Reply Quote 1
            • dave247D
              dave247 @coliver
              last edited by

              @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

              @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

              If security was teh goal, NAC is what is needed.

              There a ton of decent NAC product. Even Microsoft's own will do what you want. https://packetfence.org/

              But realistically if they come in and plug in to a live jack what will they have access to? Security comes in layers, why is having access to the network important if you have everything locked behind credentials?

              Well I work at a financial institution and we have regular audits and exams and one of the things that has been asked in the past is if the auditor can plug their laptop into a jack and get an IP address. If yes, then we get a mark.

              And yes, I know that it should be about real security, not about satisfying one of the items on a checklist. I am trying to take care of both here.

              coliverC JaredBuschJ scottalanmillerS 3 Replies Last reply Reply Quote 0
              • dave247D
                dave247 @JaredBusch
                last edited by

                @jaredbusch said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                Disabling wall jacks is helpful. But what do you do when someone plugs into a live one. Or unplugs a live one to plug in their device.

                When you start down this route, these are the issues you will encounter.

                NAC sounds like what you actually want.

                Disable DHCP totally get a NAC solution.

                A NAC solution? As in a separate product? Doesn't Windows have one, like the Network Access Protection via the Network Policy Server?

                coliverC 1 Reply Last reply Reply Quote 0
                • coliverC
                  coliver @dave247
                  last edited by

                  @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                  Well I work at a financial institution and we have regular audits and exams and one of the things that has been asked in the past is if the auditor can plug their laptop into a jack and get an IP address. If yes, then we get a mark.

                  Wow... I know financial audits are crazy but that's the first time I've heard of that.

                  Look into a NAC solution. I've heard good things about PacketFence but Microsoft also has one. You'll need to ensure your switches support 802.1x for most of these solutions.

                  1 Reply Last reply Reply Quote 0
                  • JaredBuschJ
                    JaredBusch @dave247
                    last edited by

                    @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                    @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                    @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                    If security was teh goal, NAC is what is needed.

                    There a ton of decent NAC product. Even Microsoft's own will do what you want. https://packetfence.org/

                    But realistically if they come in and plug in to a live jack what will they have access to? Security comes in layers, why is having access to the network important if you have everything locked behind credentials?

                    Well I work at a financial institution and we have regular audits and exams and one of the things that has been asked in the past is if the auditor can plug their laptop into a jack and get an IP address. If yes, then we get a mark.

                    And yes, I know that it should be about real security, not about satisfying one of the items on a checklist. I am trying to take care of both here.

                    There we go, a reason that means nothing. I can plug in my laptop, not get an IP, and stll figure out what the IP scheme is on your network. This is trivial stuff.

                    Disabling open ports would satisfy this requirement unless they do something stupid like unplug a valid machine from the network for their checklist.

                    dave247D 1 Reply Last reply Reply Quote 2
                    • coliverC
                      coliver @dave247
                      last edited by

                      @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                      @jaredbusch said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                      Disabling wall jacks is helpful. But what do you do when someone plugs into a live one. Or unplugs a live one to plug in their device.

                      When you start down this route, these are the issues you will encounter.

                      NAC sounds like what you actually want.

                      Disable DHCP totally get a NAC solution.

                      A NAC solution? As in a separate product? Doesn't Windows have one, like the Network Access Protection via the Network Policy Server?

                      It does yes. It's not bad and will, probably, do what you want. But it leaves a lot to be desired with reporting and actual usage can be a pain in the ass.

                      1 Reply Last reply Reply Quote 0
                      • DustinB3403D
                        DustinB3403
                        last edited by

                        BMW also had this kind of audit requirement and we simply took the point, and when it came to discussing it we sai the very same thing as @JaredBusch said.

                        And the point was removed because the "Audit" fails the "Logic Test".

                        1 Reply Last reply Reply Quote 1
                        • dave247D
                          dave247 @JaredBusch
                          last edited by

                          @jaredbusch said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                          @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                          @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                          @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                          If security was teh goal, NAC is what is needed.

                          There a ton of decent NAC product. Even Microsoft's own will do what you want. https://packetfence.org/

                          But realistically if they come in and plug in to a live jack what will they have access to? Security comes in layers, why is having access to the network important if you have everything locked behind credentials?

                          Well I work at a financial institution and we have regular audits and exams and one of the things that has been asked in the past is if the auditor can plug their laptop into a jack and get an IP address. If yes, then we get a mark.

                          And yes, I know that it should be about real security, not about satisfying one of the items on a checklist. I am trying to take care of both here.

                          There we go, a reason that means nothing. I can plug in my laptop, not get an IP, and stll figure out what the IP scheme is on your network. This is trivial stuff.

                          Yeah, no shit. I tried explaining this to my boss but he does not understand. This is another problem, I know. I am just trying to come up with a reasonable solution for this.

                          Disabling open ports would satisfy this requirement unless they do something stupid like unplug a valid machine from the network for their checklist.

                          Yeah I don't know if they would go that far. I doubt any of them actually understand networking so I have to take ignorance into account.

                          DustinB3403D scottalanmillerS 2 Replies Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @dave247
                            last edited by

                            @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                            If security was teh goal, NAC is what is needed.

                            As in, on the switches or what? Sorry, please elaborate.

                            Yes, on the network itself so that the end points may or may not get an IP address, but are then tested to see if they are allowed on the network (using one of several NAC protocols) and if they are allowed on, then they are allowed access and if not, the switch or some other mechanism on the network cuts them off.

                            1 Reply Last reply Reply Quote 0
                            • DustinB3403D
                              DustinB3403 @dave247
                              last edited by

                              @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                              @jaredbusch said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                              @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                              @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                              @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                              If security was teh goal, NAC is what is needed.

                              There a ton of decent NAC product. Even Microsoft's own will do what you want. https://packetfence.org/

                              But realistically if they come in and plug in to a live jack what will they have access to? Security comes in layers, why is having access to the network important if you have everything locked behind credentials?

                              Well I work at a financial institution and we have regular audits and exams and one of the things that has been asked in the past is if the auditor can plug their laptop into a jack and get an IP address. If yes, then we get a mark.

                              And yes, I know that it should be about real security, not about satisfying one of the items on a checklist. I am trying to take care of both here.

                              There we go, a reason that means nothing. I can plug in my laptop, not get an IP, and stll figure out what the IP scheme is on your network. This is trivial stuff.

                              Yeah, no shit. I tried explaining this to my boss but he does not understand. This is another problem, I know. I am just trying to come up with a reasonable solution for this.

                              Disabling open ports would satisfy this requirement unless they do something stupid like unplug a valid machine from the network for their checklist.

                              Yeah I don't know if they would go that far. I doubt any of them actually understand networking so I have to take ignorance into account.

                              You don't need to address ignorance. Simply explain that enabling MAC filtering or disabling DHCP handouts isn't going to protect your network any more than simply unplugging unused jacks.

                              At least with unused jacks being unplugged, someone would actively have to fumble around a computer or under/behind a desk or computer to unplug that system and plug in theirs.

                              Trust me, the point will be ignored when you explain it to the Auditors this way.

                              1 Reply Last reply Reply Quote 1
                              • scottalanmillerS
                                scottalanmiller @dave247
                                last edited by

                                @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                If security was teh goal, NAC is what is needed.

                                There a ton of decent NAC product. Even Microsoft's own will do what you want. https://packetfence.org/

                                But realistically if they come in and plug in to a live jack what will they have access to? Security comes in layers, why is having access to the network important if you have everything locked behind credentials?

                                Well I work at a financial institution and we have regular audits and exams and one of the things that has been asked in the past is if the auditor can plug their laptop into a jack and get an IP address. If yes, then we get a mark.

                                And yes, I know that it should be about real security, not about satisfying one of the items on a checklist. I am trying to take care of both here.

                                THat's a scam auditor. Who would care about something so silly?

                                You have three issues...

                                • Having a fake audit.
                                • Passing the audit.
                                • Security.

                                I get not handing out an IP to satisfy the checkbox on the fake audit. But I'd run up the flagpole the issue that your auditor doesn't even begin to know what he is doing. Why pay for an audit that doesn't look at security?

                                1 Reply Last reply Reply Quote 1
                                • scottalanmillerS
                                  scottalanmiller @dave247
                                  last edited by

                                  @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  @jaredbusch said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  If security was teh goal, NAC is what is needed.

                                  There a ton of decent NAC product. Even Microsoft's own will do what you want. https://packetfence.org/

                                  But realistically if they come in and plug in to a live jack what will they have access to? Security comes in layers, why is having access to the network important if you have everything locked behind credentials?

                                  Well I work at a financial institution and we have regular audits and exams and one of the things that has been asked in the past is if the auditor can plug their laptop into a jack and get an IP address. If yes, then we get a mark.

                                  And yes, I know that it should be about real security, not about satisfying one of the items on a checklist. I am trying to take care of both here.

                                  There we go, a reason that means nothing. I can plug in my laptop, not get an IP, and stll figure out what the IP scheme is on your network. This is trivial stuff.

                                  Yeah, no shit. I tried explaining this to my boss but he does not understand. This is another problem, I know. I am just trying to come up with a reasonable solution for this.

                                  Disabling open ports would satisfy this requirement unless they do something stupid like unplug a valid machine from the network for their checklist.

                                  Yeah I don't know if they would go that far. I doubt any of them actually understand networking so I have to take ignorance into account.

                                  So you have to ask yourself.... is security in any way an actual goal? Sounds like a solid "no". At some point you have to decide if you are trying to fix the network and provide security, or if you are trying to do what your boss wants and your "goal" is defined as "faking it for political reasons." At which point, I'd say that your "turning off unused ports" is the best way to go.

                                  1 Reply Last reply Reply Quote 1
                                  • scottalanmillerS
                                    scottalanmiller
                                    last edited by

                                    This gets complex because you are trying to merge the needs of a "real" goal: security, with a "political" goal, satisfying a clueless boss and fake audit.

                                    That's hard because the two don't overlap. In this case they are not directly opposed, but they sure don't line up in any way.

                                    This would verge, though, on an intentional security coverup and at some point you might want to go higher in the chain and point out that you have both an auditor and your boss working hard to pretend that they are securing something but are, quite obviously, not doing it.

                                    The question is... are they trying to scam the government? Or are they trying to scam the owners? Do you think that the owners are aware and are participating in the scam, or are in for a big surprise that they were sold security that was never performed?

                                    dave247D 1 Reply Last reply Reply Quote 0
                                    • dave247D
                                      dave247 @scottalanmiller
                                      last edited by

                                      @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                      This gets complex because you are trying to merge the needs of a "real" goal: security, with a "political" goal, satisfying a clueless boss and fake audit.

                                      That's hard because the two don't overlap. In this case they are not directly opposed, but they sure don't line up in any way.

                                      This would verge, though, on an intentional security coverup and at some point you might want to go higher in the chain and point out that you have both an auditor and your boss working hard to pretend that they are securing something but are, quite obviously, not doing it.

                                      The question is... are they trying to scam the government? Or are they trying to scam the owners? Do you think that the owners are aware and are participating in the scam, or are in for a big surprise that they were sold security that was never performed?

                                      I totally hear you Scott. I think there's enough of a real security concern, but at the same time, people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.

                                      I'm going to just do my job and come up with a solution as long as I have time. Worst case scenario, I just implement static addresses again so we don't get dinged on an audit.

                                      scottalanmillerS 3 Replies Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @dave247
                                        last edited by

                                        @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                        @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                        This gets complex because you are trying to merge the needs of a "real" goal: security, with a "political" goal, satisfying a clueless boss and fake audit.

                                        That's hard because the two don't overlap. In this case they are not directly opposed, but they sure don't line up in any way.

                                        This would verge, though, on an intentional security coverup and at some point you might want to go higher in the chain and point out that you have both an auditor and your boss working hard to pretend that they are securing something but are, quite obviously, not doing it.

                                        The question is... are they trying to scam the government? Or are they trying to scam the owners? Do you think that the owners are aware and are participating in the scam, or are in for a big surprise that they were sold security that was never performed?

                                        I totally hear you Scott. I think there's enough of a real security concern, but at the same time, people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.

                                        I'm going to just do my job and come up with a solution as long as I have time. Worst case scenario, I just implement static addresses again so we don't get dinged on an audit.

                                        The toughest part here is.... what is your job? I mean that literally. Is it to "do what your boss says" or is it to "work around the boss and protect the company from themselves?"

                                        dave247D DashrenderD 2 Replies Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @dave247
                                          last edited by

                                          @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                          Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.

                                          "Was" makes sense, but sounds like someone decided that other things are more important. Things that appear to be directly covering up the change of priority. Which is why I wonder at what level that cover up happened. I've seen many an "IT Manager" do things like this to hide from the owners that they didn't know how to do what was needed, but did know how to make it appear reasonable that they were taking action of some sort.

                                          1 Reply Last reply Reply Quote 0
                                          • dave247D
                                            dave247 @scottalanmiller
                                            last edited by dave247

                                            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            This gets complex because you are trying to merge the needs of a "real" goal: security, with a "political" goal, satisfying a clueless boss and fake audit.

                                            That's hard because the two don't overlap. In this case they are not directly opposed, but they sure don't line up in any way.

                                            This would verge, though, on an intentional security coverup and at some point you might want to go higher in the chain and point out that you have both an auditor and your boss working hard to pretend that they are securing something but are, quite obviously, not doing it.

                                            The question is... are they trying to scam the government? Or are they trying to scam the owners? Do you think that the owners are aware and are participating in the scam, or are in for a big surprise that they were sold security that was never performed?

                                            I totally hear you Scott. I think there's enough of a real security concern, but at the same time, people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.

                                            I'm going to just do my job and come up with a solution as long as I have time. Worst case scenario, I just implement static addresses again so we don't get dinged on an audit.

                                            The toughest part here is.... what is your job? I mean that literally. Is it to "do what your boss says" or is it to "work around the boss and protect the company from themselves?"

                                            My job is to manage all things IT in our company and I do that job pretty well I think. At the same time, I have to satisfy audit needs and my boss is in charge of making sure I'm on track. Not every portion of the audit is this stupid and I am just trying to make sure we don't get dinged on anything we don't have to.

                                            DustinB3403D scottalanmillerS 2 Replies Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 10
                                            • 11
                                            • 2 / 11
                                            • First post
                                              Last post