stoneyp

[StoneyP]

Has anyone come across a solution that can secure DHCP allocated IP addresses to company allocated pc's and laptops only

 

[SteveTheGeek]

How many DHCP hosts are you talking about? If it's a M$ network, you could tie the reservations to individual machines, and trim your IP range to fit. Lot of work, though, and probably not adequate to your task.
-Steve

 

[marsd]

Sure, hardcode the ether addresses for the individual
machines: still could be spoofed though.

 

[PointyHead]

We are addressing this problem right now. We have a mandate to go to a W2K network soon. We are using Static IP's. To go to Active directory, mandatory in W2K, we MUST be using DHCP. Our security office demands that we have a way to match IP's to machines, and secure the network so that no one other than company machines get IP's.

To do this, we are using a product from Lucent called QIP. It gives us the ability to use a MAC pool to identify each client machine. We then use a reservation for each machine. This, in effect, makes us have a static DHCP system. (I refer to this as making the exception the rule!) Of course there are other factors involved to complicate the process, like VPN's and subnets, but I think this sums it up.

 

[Zelandakh]

QIP is one way to do it, but doing it manually as outlined above is basically what QIP does:

Make a note of the MAC address of the machine. Pick an IP address for it. Add the address to the DHCP server and create a reservation for it. This is NOT manually setting the IP address per se, but reserving a single IP address at the server level.

This is very common practice in fact.