Archived from groups: comp.security.firewalls (More info?)
I have client machines on a protected subnet behind a firewall, and a DHCP
server on a separate protected subnet. I need to relay the DHCP client
requests from one subnet to the other, and for security reasons I don't want
a DHCP relay application running on the firewall. What is the easiest way
to build a DHCP relay that would allow a configuration like:
client on subnet A <----> dhcp relay on subnet A <----> firewall <---->
dhcp relay on subnet B <----> dhcp server
What software supports that configuration?
In our application I need to use a Microsoft Active Driectory domain
controller for the DHCP server because it is integrated to Microsoft DNS
and reverse lookups are automatically maintained. Unless there are
very strong reasons for it, a DHCP relay is preferred to a DHCP server.
Some additional features that would be really nice to have:
- Ability to scan for any DHCP request from an unrecognized Mac address,
which would then trigger alerts to either/both syslog and e-mail.
- Ability to scan all ARP requests on the network looking for unrecognized
Mac addresses, the presence of which would trigger alerts.
I want to make it very difficult for a rogue device to get installed on our
network without our having immediate visibility on the fact.
If anyone has other ideas on features we should be looking for in either a
DHCP relay or Mac Address scanner, please feel free to add those.
If the above is available as a commercial device, I would appreciate
references to the vendor's product page as well.
--
Will
I have client machines on a protected subnet behind a firewall, and a DHCP
server on a separate protected subnet. I need to relay the DHCP client
requests from one subnet to the other, and for security reasons I don't want
a DHCP relay application running on the firewall. What is the easiest way
to build a DHCP relay that would allow a configuration like:
client on subnet A <----> dhcp relay on subnet A <----> firewall <---->
dhcp relay on subnet B <----> dhcp server
What software supports that configuration?
In our application I need to use a Microsoft Active Driectory domain
controller for the DHCP server because it is integrated to Microsoft DNS
and reverse lookups are automatically maintained. Unless there are
very strong reasons for it, a DHCP relay is preferred to a DHCP server.
Some additional features that would be really nice to have:
- Ability to scan for any DHCP request from an unrecognized Mac address,
which would then trigger alerts to either/both syslog and e-mail.
- Ability to scan all ARP requests on the network looking for unrecognized
Mac addresses, the presence of which would trigger alerts.
I want to make it very difficult for a rogue device to get installed on our
network without our having immediate visibility on the fact.
If anyone has other ideas on features we should be looking for in either a
DHCP relay or Mac Address scanner, please feel free to add those.
If the above is available as a commercial device, I would appreciate
references to the vendor's product page as well.
--
Will
Facebook
Twitter
Instagram