Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP)
-
Purpose of DHCP: To allow unknown devices to connect to the network and get network data.
Question: How to make DHCP do the opposite of its purpose.That's why this won't work well. It's trying to make DHCP do exactly the opposite of its intended purpose.
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Please, let's keep this on topic as much as possible as I am really just trying to nail down the best solution.
When I came into my job as IT admin, all our servers and workstations and thin clients were statically mapped, like manually, the hard way (no DHCP reservation). It's taken me a while but I rolled out DHCP for all our thin clients and desktops and everything is a lot easier to manage.
One of the security concerns that was brought up to me now was that anyone can plug their laptop into an open network jack and get an IP address and my boss is trying to get me to assign everything static again.
BEFORE YOU SAY IT: Yes, I know that either way is not actually secure and I've tried explaining that someone with Wireshark could still sniff our traffic or use other tools to get onto our network, etc.
I have mentioned that I specifically don't patch in network jacks unless they are needed by someone and that there are no open jacks just hanging out on random walls where customers have easy access.
So now, I am trying to find out the best way to set up DHCP and have it so that only the people I want on our network can get on.
First and foremost, we run a 2008 R2 domain controller and that is also our DHCP server. I noticed in the DHCP settings that there is a "Network Access Protection" tab, which would work with Network Policy Server. I would assume this is the go-to method for this in a Windows domain, but I have never heard about it until now.
Any input is welcome, but please don't get side-tracked with this as I don't want to go down a rabbit-hole of explaining the why of everything.
Sounds like you just need to pay for an hour of @scottalanmiller's time to explain how computer networks work in small words to your company management.
-
If security was teh goal, NAC is what is needed.
-
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
If security was teh goal, NAC is what is needed.
There a ton of decent NAC product. Even Microsoft's own will do what you want. https://packetfence.org/
But realistically if they come in and plug in to a live jack what will they have access to? Security comes in layers, why is having access to the network important if you have everything locked behind credentials?
-
@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
MAC address filtering would be one way, albeit I think it would be a lot of work to setup.
https://technet.microsoft.com/en-us/library/dd759190(v=ws.11).aspx
But what about Network Access Protection policies for DHCP?
-
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
If security was teh goal, NAC is what is needed.
As in, on the switches or what? Sorry, please elaborate.
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
If security was teh goal, NAC is what is needed.
As in, on the switches or what? Sorry, please elaborate.
NAC Network Access Control.
-
Disabling wall jacks is helpful. But what do you do when someone plugs into a live one. Or unplugs a live one to plug in their device.
When you start down this route, these are the issues you will encounter.
NAC sounds like what you actually want.
Disable DHCP totally get a NAC solution.
-
I'm surprised that @scottalanmiller hasn't posted his LAN-Less video yet.
-
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
If security was teh goal, NAC is what is needed.
There a ton of decent NAC product. Even Microsoft's own will do what you want. https://packetfence.org/
But realistically if they come in and plug in to a live jack what will they have access to? Security comes in layers, why is having access to the network important if you have everything locked behind credentials?
Well I work at a financial institution and we have regular audits and exams and one of the things that has been asked in the past is if the auditor can plug their laptop into a jack and get an IP address. If yes, then we get a mark.
And yes, I know that it should be about real security, not about satisfying one of the items on a checklist. I am trying to take care of both here.
-
@jaredbusch said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Disabling wall jacks is helpful. But what do you do when someone plugs into a live one. Or unplugs a live one to plug in their device.
When you start down this route, these are the issues you will encounter.
NAC sounds like what you actually want.
Disable DHCP totally get a NAC solution.
A NAC solution? As in a separate product? Doesn't Windows have one, like the Network Access Protection via the Network Policy Server?
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Well I work at a financial institution and we have regular audits and exams and one of the things that has been asked in the past is if the auditor can plug their laptop into a jack and get an IP address. If yes, then we get a mark.
Wow... I know financial audits are crazy but that's the first time I've heard of that.
Look into a NAC solution. I've heard good things about PacketFence but Microsoft also has one. You'll need to ensure your switches support 802.1x for most of these solutions.
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
If security was teh goal, NAC is what is needed.
There a ton of decent NAC product. Even Microsoft's own will do what you want. https://packetfence.org/
But realistically if they come in and plug in to a live jack what will they have access to? Security comes in layers, why is having access to the network important if you have everything locked behind credentials?
Well I work at a financial institution and we have regular audits and exams and one of the things that has been asked in the past is if the auditor can plug their laptop into a jack and get an IP address. If yes, then we get a mark.
And yes, I know that it should be about real security, not about satisfying one of the items on a checklist. I am trying to take care of both here.
There we go, a reason that means nothing. I can plug in my laptop, not get an IP, and stll figure out what the IP scheme is on your network. This is trivial stuff.
Disabling open ports would satisfy this requirement unless they do something stupid like unplug a valid machine from the network for their checklist.
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@jaredbusch said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
Disabling wall jacks is helpful. But what do you do when someone plugs into a live one. Or unplugs a live one to plug in their device.
When you start down this route, these are the issues you will encounter.
NAC sounds like what you actually want.
Disable DHCP totally get a NAC solution.
A NAC solution? As in a separate product? Doesn't Windows have one, like the Network Access Protection via the Network Policy Server?
It does yes. It's not bad and will, probably, do what you want. But it leaves a lot to be desired with reporting and actual usage can be a pain in the ass.
-
BMW also had this kind of audit requirement and we simply took the point, and when it came to discussing it we sai the very same thing as @JaredBusch said.
And the point was removed because the "Audit" fails the "Logic Test".
-
@jaredbusch said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
If security was teh goal, NAC is what is needed.
There a ton of decent NAC product. Even Microsoft's own will do what you want. https://packetfence.org/
But realistically if they come in and plug in to a live jack what will they have access to? Security comes in layers, why is having access to the network important if you have everything locked behind credentials?
Well I work at a financial institution and we have regular audits and exams and one of the things that has been asked in the past is if the auditor can plug their laptop into a jack and get an IP address. If yes, then we get a mark.
And yes, I know that it should be about real security, not about satisfying one of the items on a checklist. I am trying to take care of both here.
There we go, a reason that means nothing. I can plug in my laptop, not get an IP, and stll figure out what the IP scheme is on your network. This is trivial stuff.
Yeah, no shit. I tried explaining this to my boss but he does not understand. This is another problem, I know. I am just trying to come up with a reasonable solution for this.
Disabling open ports would satisfy this requirement unless they do something stupid like unplug a valid machine from the network for their checklist.
Yeah I don't know if they would go that far. I doubt any of them actually understand networking so I have to take ignorance into account.
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
If security was teh goal, NAC is what is needed.
As in, on the switches or what? Sorry, please elaborate.
Yes, on the network itself so that the end points may or may not get an IP address, but are then tested to see if they are allowed on the network (using one of several NAC protocols) and if they are allowed on, then they are allowed access and if not, the switch or some other mechanism on the network cuts them off.
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@jaredbusch said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
If security was teh goal, NAC is what is needed.
There a ton of decent NAC product. Even Microsoft's own will do what you want. https://packetfence.org/
But realistically if they come in and plug in to a live jack what will they have access to? Security comes in layers, why is having access to the network important if you have everything locked behind credentials?
Well I work at a financial institution and we have regular audits and exams and one of the things that has been asked in the past is if the auditor can plug their laptop into a jack and get an IP address. If yes, then we get a mark.
And yes, I know that it should be about real security, not about satisfying one of the items on a checklist. I am trying to take care of both here.
There we go, a reason that means nothing. I can plug in my laptop, not get an IP, and stll figure out what the IP scheme is on your network. This is trivial stuff.
Yeah, no shit. I tried explaining this to my boss but he does not understand. This is another problem, I know. I am just trying to come up with a reasonable solution for this.
Disabling open ports would satisfy this requirement unless they do something stupid like unplug a valid machine from the network for their checklist.
Yeah I don't know if they would go that far. I doubt any of them actually understand networking so I have to take ignorance into account.
You don't need to address ignorance. Simply explain that enabling MAC filtering or disabling DHCP handouts isn't going to protect your network any more than simply unplugging unused jacks.
At least with unused jacks being unplugged, someone would actively have to fumble around a computer or under/behind a desk or computer to unplug that system and plug in theirs.
Trust me, the point will be ignored when you explain it to the Auditors this way.
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
If security was teh goal, NAC is what is needed.
There a ton of decent NAC product. Even Microsoft's own will do what you want. https://packetfence.org/
But realistically if they come in and plug in to a live jack what will they have access to? Security comes in layers, why is having access to the network important if you have everything locked behind credentials?
Well I work at a financial institution and we have regular audits and exams and one of the things that has been asked in the past is if the auditor can plug their laptop into a jack and get an IP address. If yes, then we get a mark.
And yes, I know that it should be about real security, not about satisfying one of the items on a checklist. I am trying to take care of both here.
THat's a scam auditor. Who would care about something so silly?
You have three issues...
- Having a fake audit.
- Passing the audit.
- Security.
I get not handing out an IP to satisfy the checkbox on the fake audit. But I'd run up the flagpole the issue that your auditor doesn't even begin to know what he is doing. Why pay for an audit that doesn't look at security?
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@jaredbusch said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
If security was teh goal, NAC is what is needed.
There a ton of decent NAC product. Even Microsoft's own will do what you want. https://packetfence.org/
But realistically if they come in and plug in to a live jack what will they have access to? Security comes in layers, why is having access to the network important if you have everything locked behind credentials?
Well I work at a financial institution and we have regular audits and exams and one of the things that has been asked in the past is if the auditor can plug their laptop into a jack and get an IP address. If yes, then we get a mark.
And yes, I know that it should be about real security, not about satisfying one of the items on a checklist. I am trying to take care of both here.
There we go, a reason that means nothing. I can plug in my laptop, not get an IP, and stll figure out what the IP scheme is on your network. This is trivial stuff.
Yeah, no shit. I tried explaining this to my boss but he does not understand. This is another problem, I know. I am just trying to come up with a reasonable solution for this.
Disabling open ports would satisfy this requirement unless they do something stupid like unplug a valid machine from the network for their checklist.
Yeah I don't know if they would go that far. I doubt any of them actually understand networking so I have to take ignorance into account.
So you have to ask yourself.... is security in any way an actual goal? Sounds like a solid "no". At some point you have to decide if you are trying to fix the network and provide security, or if you are trying to do what your boss wants and your "goal" is defined as "faking it for political reasons." At which point, I'd say that your "turning off unused ports" is the best way to go.
