ScreenOS Firewalls (NOT SRX)
Reply
Contributor
zvitins
Posts: 132
Registered: ‎12-04-2009
0

DHCP server security on SSG

Hi all,

I have configured dhcp server on my ssg-5 (6.3.0r4.0).
All my pc have  Reserved IP address by mac address.

Is it possible to allow connect via ssg only If pc gets IP from my dhcp server, If someone put IP manualy (unknown mac), than ssg do not allow connections?

 

Contributor
supsec
Posts: 45
Registered: ‎10-06-2008
0

Re: DHCP server security on SSG

As far as I know it's not possible.

 

You can do some authentication like 802.1x to avoid unknown devices to connect to the LAN.

Contributor
zvitins
Posts: 132
Registered: ‎12-04-2009
0

Re: DHCP server security on SSG

Ok,

 

Thanks, I will think about it.

 

Zigmunds

Contributor
TRK-NKA
Posts: 189
Registered: ‎06-17-2008
0

Re: DHCP server security on SSG

[ Edited ]

You need dhcp snooping / dai.

Buy an EX Switch :-)

 


Best Regards

Tom Roholm
JNCIS-ENT, FWV, SEC, SA, WLAN
Contributor
SaffaJay
Posts: 31
Registered: ‎11-18-2010
0

Re: DHCP server security on SSG

Hi

 

With 802.1x, client software needs to be running on the dhcp client, and you'll need an additional IC UAC Appliance.

 

It may be easier to do DHCP reservations and limit the dhcp pool only to the number of hosts on your LAN.

 

Jude

Contributor
TRK-NKA
Posts: 189
Registered: ‎06-17-2008
0

Re: DHCP server security on SSG

Port based access control, 802.1X, can be done in many switches, it does require a radius server to validate the users/machines.

DHCP snooping is also widely available and can  be configured to avoid DHCP servers anywhere else than were they are supposed to be. You use it to avoid rogue DHCP servers making a mess on your network.

 

Good luck

 

 


Best Regards

Tom Roholm
JNCIS-ENT, FWV, SEC, SA, WLAN
Distinguished Expert
spuluka
Posts: 2,232
Registered: ‎03-30-2009
0

Re: DHCP server security on SSG

 


zvitins wrote:

Hi all,

I have configured dhcp server on my ssg-5 (6.3.0r4.0).
All my pc have  Reserved IP address by mac address.

Is it possible to allow connect via ssg only If pc gets IP from my dhcp server, If someone put IP manualy (unknown mac), than ssg do not allow connections?

 


 

Why don't you just remove the dynamic pool then?

 

Then the only way to get an address is to be one of the reserved static pool addresses.

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Contributor
TRK-NKA
Posts: 189
Registered: ‎06-17-2008
0

Re: DHCP server security on SSG

Just wireshark and you wil lknow in which scope to set an static IP.

Of course you can denied connection out of the reserved scope.

But there is still a possibility to set a ip and do IP conflict.


Best Regards

Tom Roholm
JNCIS-ENT, FWV, SEC, SA, WLAN
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.