On Feb 2, 20:50, Dave McGuire wrote:
> On February 2, Doc Shipley wrote:
> > This is sort of a sanity check. I'm putting the question here
because
> > of the cumulative years of professional experience here, as well as an
> > "international" perspective.
> >
> > How would you react to a guest in your (not normally open to the
> > public) building plugging a computer into a random ethernet port and
> > asking for a DHCP lease? Is there any non-emergency consideration that
> > would make that appropriate?
No, not on my network. At least, not unless they ask first. I've had to
deal with this a few times, sometimes from students, once or twice from
staff, and a few times from visitors. They wouldn't get a DHCP lease, but
they might try to "borrow" an address. They're usually very surprised when
someone turns up within a few minutes and asks what they're doing.
> In a well-designed network, I wouldn't worry too much about it. On
> an unswitched network with unencrypted root passwords floating around,
> though, I'd have...erm, "issues" with it.
Even on a switched network. Case in point: a couple of weeks ago, someone
plugged an unauthorised laptop (we assume) into our student network. We
surmise that it was misconfigured, it acted as a DHCP server, and gave out
a lot of spurious DHCP responses. Not pretty.
We've noticed a lot of problems with misconfigured Windows 2000 machines in
particular, and do not permit unauthorised machines on our net for that
reason, amongst others. And we can enforce it -- technically, it's theft.
Also consider what could happen if someone plugged in a machine and
masqueraded as a trusted host.
We have facilites to provide addresses to genuine visitors and to protect
them from our users and v.v. We don't allow people to plug random things
into random ports. We don't allow students to plug in laptops; there's
normally no need as we provide a large number of PCs on 24-hour 364-day
access.
> You bring up an interesting point, however. A good (if somewhat
> simplistic) goal for the security of a network might be to say if
> you'd be nervous about someone doing this, then you still have things
> left to fix. :)
Agreed. But there's always something left to fix :-(
--
Pete Peter Turnbull
Network Manager
University of York
Received on Sat Feb 02 2002 - 21:32:58 GMT