Results 1 to 7 of 7

Thread: Block machines without FQDN?

  1. 03-08-2012, 01:19 PM #1
    spoon_
    spoon_ is offline
    <<== UT3 Player spoon_'s Avatar
    Join Date
    Nov 2008
    Location
    London
    Posts
    1,871
    Thanks
    101
    Thanked
    123 times in 115 posts

    Block machines without FQDN?

    Can anyone think of a way of preventing machines without FQDN from getting on the network/obtaining IP address?

    This would mean Workgroup or where FQDN doesn't match predefined phrase.


    Any ideas?
    My Blog => http://adriank.org
    Reply With Quote Reply With Quote
  2. 03-08-2012, 02:27 PM #2
    Moby-Dick
    Moby-Dick is offline
    Administrator Moby-Dick's Avatar
    Join Date
    Jul 2003
    Location
    There's no place like 1:: (IPv6 version)
    Posts
    10,319
    Thanks
    36
    Thanked
    315 times in 261 posts

    Re: Block machines without FQDN?

    enable certificate based authentication on your switches with a domain based cert ?
    my Virtualisation Blog http://jfvi.co.uk Virtualisation Podcast http://vsoup.net
    Reply With Quote Reply With Quote
  3. 03-08-2012, 06:18 PM #3
    Apex
    Apex is offline
    Monkey Apex's Avatar
    Join Date
    Jul 2003
    Location
    Huddersfield
    Posts
    3,744
    Thanks
    426
    Thanked
    62 times in 45 posts
    • Apex's system
      • Motherboard:
      • Asus F1A55-M
      • CPU:
      • AMD A6-3670K APU
      • Memory:
      • 16 GiB
      • Storage:
      • 5.0 TiB
      • Graphics card(s):
      • ATI (ASUS) HD6850 1024MiB
      • PSU:
      • 750
      • Case:
      • SilverStone TJ08-E
      • Operating System:
      • Windows 7 64Bit
      • Monitor(s):
      • Dell U2410 24"
      • Internet:
      • 20Mb nTL Cable

    Re: Block machines without FQDN?

    Does your dhcp server not have the option to block devices if the MAC is not in the allow list ?
    Reply With Quote Reply With Quote
  4. 03-08-2012, 06:27 PM #4
    wasabi
    wasabi is offline
    Silence is golden
    Join Date
    Aug 2003
    Location
    In my house
    Posts
    857
    Thanks
    16
    Thanked
    23 times in 21 posts
    • wasabi's system
      • Motherboard:
      • Asrock M3A UCC
      • CPU:
      • X3 400e
      • Memory:
      • 8 gig ddr3 ebuyer cheap stuff
      • Storage:
      • 64 gig OCZ vertex 2, 128 gig Agility 3 SSDs
      • Graphics card(s):
      • Radeon 5750 / silent accelero
      • PSU:
      • Silver Power SP-S460FL
      • Case:
      • Thermaltake tsunami dream - no fans
      • Operating System:
      • Win7 64bit
      • Internet:
      • Virgin cable 60 meg

    Re: Block machines without FQDN?

    What OS is the DHCP server? You could use DHCP reservations (i.e. only those on MAC address list get a 'good' config) but it is a load of admin overhead and not specifically what you're asking for.

    Your best bet is to block it at the gateway / firewall. Various routers allow ACLs or similar which resolve client name. i.e. permit outbound from *.allowedout.com Could be pricey if you go for Cisco . ISA etc, but linux firewalls might resolve client names too.
    Last edited by wasabi; 03-08-2012 at 06:43 PM.
    Reply With Quote Reply With Quote
  5. 03-08-2012, 07:01 PM #5
    blueball
    blueball is offline
    Senior Moment blueball's Avatar
    Join Date
    Aug 2005
    Location
    Edinburgh
    Posts
    2,246
    Thanks
    680
    Thanked
    335 times in 263 posts
    • blueball's system
      • Motherboard:
      • Gigabyte P35-DQ6
      • CPU:
      • Q9650 (4 x 3GHz Cores)
      • Memory:
      • 8Gb (4 x 2Gb) Kingston PC2-6400 DDR2
      • Storage:
      • 1TB RAID 0 (2 x Samsung F1 500Gb)
      • Graphics card(s):
      • Gigabyte 2GB GeForce GTX 670 OC Windforce 3X
      • PSU:
      • CoolerMaster Silent Pro 850W
      • Case:
      • Lian-Li A17
      • Operating System:
      • Win 7 Ultimate x64
      • Monitor(s):
      • 24" Samsung T240 (1920x1200)
      • Internet:
      • Virgin Media 50Mb

    Re: Block machines without FQDN?

    802.1x would be my recommendation but it depends on your client/server architecture

    http://en.wikipedia.org/wiki/IEEE_802.1X
    Rgds,

    BB
    Hexus Trust here and here
    Reply With Quote Reply With Quote
  6. 04-08-2012, 09:00 AM #6
    pardal51
    pardal51 is offline
    Senior Member
    Join Date
    Jul 2008
    Posts
    378
    Thanks
    12
    Thanked
    29 times in 25 posts

    Re: Block machines without FQDN?

    We were looking at this at work (we are still on 2003 AD). If your DHCP server is 2003, you can download a dll and block by MAC - Link.

    If you DHCP server is 2008 then this feature is native.

    The only problem is that we wanted to block certain company standalone machines to connect to the LAN. I believe in your case you are thinking about preventing "visitors". I can double-check with the networking guy in the office as I believe he was doing something in the switches (Cisco) to block machines.
    Reply With Quote Reply With Quote
  7. 04-08-2012, 09:38 AM #7
    matts-uk
    matts-uk is offline
    Registered+
    Join Date
    Jul 2012
    Location
    By the sea
    Posts
    82
    Thanks
    3
    Thanked
    9 times in 8 posts
    • matts-uk's system
      • Motherboard:
      • Apple iMac
      • CPU:
      • Core i7 3.4Ghz
      • Memory:
      • 12GB DDR3
      • Storage:
      • RAID5 on the twin Xeon server I keep in the airing cupboard
      • Graphics card(s):
      • ATI 7970M
      • Case:
      • A lurvely slimline, all in one aluminium number.
      • Operating System:
      • OSX, Centos, Windows.
      • Monitor(s):
      • 27" LED (Apple), 24" LED (Apple), 2 x 20" TFT Dell
      • Internet:
      • ADSL rubbish

    Re: Block machines without FQDN?

    Quote Originally Posted by spoon_ View Post
    Can anyone think of a way of preventing machines without FQDN from getting on the network/obtaining IP address?
    FQDNs reside (conceptually) above layers 2 (MAC) and 3 (IP). Name mappings are provided by the network, so a host has to be on the network to have an fqdn which is meaningful on that network.

    If you can't identify hosts by segment or vlan, you are pretty much left with having to negate the problem, by only allowing systems you can identify (user authentication and/or mac filtering).
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules