Network Access Control

Hi all,

 

I am gonna implement a DHCP enforcer appliance in my company and i am not sure on where to place the DHCP enforcer.

 

I have an Win2K3 box with AD and DHCP components installed. The AD/DHCP server sits together with other client PC on the same switch. Since i am going to put in a DHCP enforcer appliance, shud it be place into the same switch with the rest of the PCs and AD/DHCP server? or shud the DHCP enforcer and the AD be put into separate switches? or shud i put the AD on one switch, the rest of the PCs on another switch and in betweenthe 2 switches i put in the DHCP enforcer?

 

Sidenote, is it recommended to put setup a dedicate DHCP server instead of setting it up on the AD server? any advantages?

When you are referring to the same switch, do you mean the client PCs and the servers are on the same VLAN or subnet?

Hi Mandy,

 

I am using an unmanaged switch, so yes all the PCs and servers are on the same VLAN and segments.

Hi Jeffrey,

 

The best way is to have 2 VLAN. One for internal, and one for your clients. When the client passes HI, it will get a default gateway, which will provide the routing to the internal network. When the client fails HI, it will not get a gateway, and it will not be able to get into the internal network.

 

Regards,

Mandy

Mandy,

 

Thanks for the reply, but is it possible to use existing network setup? From my side, the management doesn't want to change its switches means to say we are not able to setup different VLANS and would like all the servers to be in the same segment. This is how i am proposing to the management (using existing infra):

 

A dedicated DHCP servers sitting behind the Enforcer connected via cross-cable. Then the enforcer will then have a connection to the external network through the existing switch where all the servers, client PCs and AD will reside.

 

Will this work? BTW does the dedicated DHCP server need to be using a different segment IP coz i am not sure if its a good idea to setup 2 same segment IP address on the Enforcer (1 for the internal network and 1 to the external network)

Hi Jeffrey,

 

What kind of DHCP server you have? If you are using MS DHCP or Lucent QIP, you can use our plugin software, which install on the DHCP server, and you don't need to change your infrastructure.

 

For DHCP appliance, the internal and external interface should be in the same subnet. If the client and the internal network are in the same segment, then client will be able to get into the internal network even without a gateway. What you really want is to isolate the client so that it cannot get into the network. Another way I can think of is that, you can have 2 DHCP server, 1 serves quarantine IP address, and the other serves normal IP address. Then you can put the quarantine IP into a different subnet, and you still need to add some routing into your switch if you want a quarantined client to be able to access a remediation server in the internal network, and add static route to the client. 

 

Regards,

Mandy 

Hi Mandy,

 

Thanks again for the reply. I am currently using MS DHCP server. I would still like to implement a DHCP enforcer appliance as the purchase order has been raised for the appliance. Thank you for clarifying the appliance subnet.

 

You said that if the clients and the internal network are in the same subnet, the clients will be able to access the internal network without the gateway rite? the gateway we are discussing is the DHCP appliance? I forgot to add, the is an MS ISA server to serve as the client PC's gateway to the internet. Will this pose any problems?

 

I got to know that if client PC manually set its IP, it can bypass the HI check from the appliance. Is it possible to disable client PCs from manually assigning its IP by setting policies via the SEPM?

 

I have limited hardware resources thus 1 DHCP server is only all i have and i will need to  setup the SYGATE_ENF user class. BTW my existing SEP server will be my remediation server as well.

 

Thanks in advance.

Hi Jeffrey,

 

The gateway I am referring to is not the DHCP appliance. It's the default gateway for the IP address or option "003 router" in your DHCP scope option.

 

If your user set a static IP on the endpoint, there is no policies on SEPM that can prevent that. However, you may be able to write a custom HI policy to check if the network adapter is DHCP enabled. If it's not, you can fail HI and use self enforcement to restrict access to network. I have never done that, not sure if you can find out the adapter status with scripting language. 

 

I hope this help.

Regards,

Mandy 

Thanks Mandy. appreciate the help rendered :)