Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Secure DHCP?

  • From: Eric Germann
  • Date: Sun Jul 25 07:43:41 1999

WINS and SMB file sharing are not broadcast based.  The name location
mechanism in Windows networking is broadcast based, if you don't use WINS.
WINS eliminates that need.

Eric


At 08:50 PM 7/24/99 -0700, Aaron Hopkins wrote:
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>> After having experienced a rather malicious attack on our corporate
network by 
>> someone running a rogue DHCP server, I'm wondering if there's any way to 
>> prevent this from happening again?
>
>Ask your ethernet switch/bridge or cablemodem vendor for a method of
>disabling non-ARP broadcasts from being received by client machines.  You
>can then trust your switches to direct such requests only to anything you
>let receive broadcasts, which should only be trusted servers.
>
>Cisco's IRB bridging has "subscriber-policy" which roughly approximates this
>that I use for our DSL customers.  I believe their higher-end switches can
>take layer-2 access-lists, which could be made to work similarly. 
>
>Any protocol that relies on trusting the first server to reply to a
>broadcast is similiarly vulnerable.  I'm not sure theres a way to secure the
>protocol itself if the client has zero knowledge of the network its on when
>it starts up, which is the point of DHCP.
>
>Note that disabling broadcasts may adversely affect some already-broken
>protocols, such as WINS or SMB.  This might only prevent shares off of
>"client" machines from showing up in others' Network Neighborhood, but I
>can't say that I've tested it.
>
>                   Aaron Hopkins
>                   aaron@cyberverse.com 
>                   Chief Technical Officer, Cyberverse Inc.
>
>-----BEGIN PGP SIGNATURE-----
>Version: 2.6.2
>
>iQCVAwUBN5qJmUfJWHAEvsjBAQHa/QP/TnuMtu17O2wn5F15fFITHdCUDOCLUqy1
>4QyfzRLdyeNFQA5o5bSoPirP3DjgPb2s5l/0IgQjJDPPMehCnFNCQ7sFq/A3/+3I
>3e7XsxASmHXDsxbQP490oPbKkfMEvtAXH9pYolwnfmuhxn/VPYXqOg4A1GomukBp
>PQlYBTOnSL0=
>=77jy
>-----END PGP SIGNATURE-----
> 

==========================================================================
  Eric Germann                                        CCTec
  ekgermann@cctec.com                                 Van Wert, OH 45891
  http://www.cctec.com                                Ph:  419 968 2640
  ICQ:  41927048                                      Fax: 419 968 2641
         Network Design, Connectivity & System Integration Services 
                     A Microsoft Solution Provider





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.