N
N
nibbl2015-11-03 10:06:03
System administration
nibbl, 2015-11-03 10:06:03

How to properly protect computers from IP address conflicts?

Good afternoon.
The question is. I have a small pool of ip addresses on the network that are issued automatically, but I decided to cover this topic because the office began to abuse it by dragging and connecting my laptops to the corp network.
The question is, if I now remove this pool and there is some kind of smart guy who writes ip handles and which matches the computer running on the network, then there will be a conflict of IP addresses.
and two questions arose:
1) how to protect yourself from these smart people on the network who can play dirty tricks with pens?
2) how to do it at the program level (windows 2008 server) so that if someone unknown connects to the network and drives the correct ip address into the network settings, there would be no access to the network. those. full denide!

Answer the question

In order to leave comments, you need to log in

6 answer(s)
T
TyzhSysAdmin, 2015-11-03
@POS_troi

It is solved on the basis of hardware and not software.
Put a "smart switch" on the ports, set up a poppy filter.
With wi-fi the exact same story - the white list of poppies.

M
Max, 2015-11-03
@MaxDukov

this is solved either by hardware (such as binding a mac to a switch port or even through 802.1X), or administratively - issue a document on the prohibition of connecting left devices to the network with a description of the sanctions, set up DHCP / ARP monitoring, a couple of times exponentially dry up those who do not understand - and that's it.
The most reliable is 802.1X. But you need smart switches + RADIUS. By the way, you will also get additional profit from this solution in the form of the ability to divide computers into VLANs, allocate all sorts of quarantine subnets, etc. But not easy.

R
Ruslan Fedoseev, 2015-11-03
@martin74ua

There is also 802.1x technology. Port security. You stick a computer into the port - and it asks for a login and password. If the link is correct, the link is raised, the address is given out....
But for this, you need the appropriate equipment...
For now, if I were you, I would select a certain range in dhcp, which is issued to unknown equipment. And all known - would fix poppies and give addresses out of range.
Well, by highlighting the unknown in a separate block of addresses, you can already do something ... Do not open access to the Internet, what else is a thread ...

V
Vlad Zhivotnev, 2015-11-03
@inkvizitor68sl

If everything is really bad, there is no money for hardware (managed switches are the correct answer), then you can throw out the "wrong" hosts from the network by ARP spoofing.

V
Victor Ganeles, 2015-11-12
@Ghool

Just keep in mind that "coolhackers" can also replace poppies

Z
zRabbit, 2015-11-24
@zRabbit

If you have CISCO equipment, it is fashionable to use a security port so that when an unknown device is connected, the port is disabled, because it is impossible to revoke the IP issued or registered statically from the equipment, you will have to run around the floors and look for who connected the computer there is still NAP from microsoft

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question