ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

DHCP server security on SSG

10.11.10   |  
‎10-11-2010 01:47 AM

Hi all,

I have configured dhcp server on my ssg-5 (6.3.0r4.0).
All my pc have  Reserved IP address by mac address.

Is it possible to allow connect via ssg only If pc gets IP from my dhcp server, If someone put IP manualy (unknown mac), than ssg do not allow connections?

 

7 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: DHCP server security on SSG

10.11.10   |  
‎10-11-2010 05:25 AM

As far as I know it's not possible.

 

You can do some authentication like 802.1x to avoid unknown devices to connect to the LAN.

ScreenOS Firewalls (NOT SRX)

Re: DHCP server security on SSG

10.11.10   |  
‎10-11-2010 10:57 PM

Ok,

 

Thanks, I will think about it.

 

Zigmunds

ScreenOS Firewalls (NOT SRX)

Re: DHCP server security on SSG

[ Edited ]
10.20.10   |  
‎10-20-2010 01:53 PM

You need dhcp snooping / dai.

Buy an EX Switch :-)

 


Best Regards

Tom Roholm
JNCIS-ENT, FWV, SEC, SA, WLAN
ScreenOS Firewalls (NOT SRX)

Re: DHCP server security on SSG

11.19.10   |  
‎11-19-2010 02:34 PM

Hi

 

With 802.1x, client software needs to be running on the dhcp client, and you'll need an additional IC UAC Appliance.

 

It may be easier to do DHCP reservations and limit the dhcp pool only to the number of hosts on your LAN.

 

Jude

ScreenOS Firewalls (NOT SRX)

Re: DHCP server security on SSG

11.22.10   |  
‎11-22-2010 01:16 AM

Port based access control, 802.1X, can be done in many switches, it does require a radius server to validate the users/machines.

DHCP snooping is also widely available and can  be configured to avoid DHCP servers anywhere else than were they are supposed to be. You use it to avoid rogue DHCP servers making a mess on your network.

 

Good luck

 

 


Best Regards

Tom Roholm
JNCIS-ENT, FWV, SEC, SA, WLAN
ScreenOS Firewalls (NOT SRX)

Re: DHCP server security on SSG

11.22.10   |  
‎11-22-2010 02:51 PM

 


zvitins wrote:

Hi all,

I have configured dhcp server on my ssg-5 (6.3.0r4.0).
All my pc have  Reserved IP address by mac address.

Is it possible to allow connect via ssg only If pc gets IP from my dhcp server, If someone put IP manualy (unknown mac), than ssg do not allow connections?

 


 

Why don't you just remove the dynamic pool then?

 

Then the only way to get an address is to be one of the reserved static pool addresses.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: DHCP server security on SSG

11.23.10   |  
‎11-23-2010 02:48 AM

Just wireshark and you wil lknow in which scope to set an static IP.

Of course you can denied connection out of the reserved scope.

But there is still a possibility to set a ip and do IP conflict.


Best Regards

Tom Roholm
JNCIS-ENT, FWV, SEC, SA, WLAN