Infoblox shuts a back door

Opinion
Aug 22, 20053 mins

* Infoblox’s Authenticated DHCP

I’ve seen a rash of stories lately about the “theft” of wireless services. I put “theft” in quotes, because most of the stories have difficulty identifying exactly what was “stolen.”

The typical scenario is that someone – we’ll call him Joe – will install a home wireless network unprotected by passwords or any other authentication. Neighbors, or people driving by who boot up their wireless device, find Joe’s wireless access point, request an IP address via DHCP and go merrily on their way surfing the ‘Net. Or browsing through Joe’s files!

Most network administrators chuckle at these stories, wondering how people “can be so dumb” as to leave access to their networks open to anyone wandering by.

Maybe they should stop and think for a moment, though.

Suppose I come into your building, plop down in a vacant office, and fire up my laptop. Will your DHCP server gladly provide me with an IP address? Well, will it? Chances are that it will. Most people rely on network authentication to protect access to their corporate assets. Some also rely on local authentication before a machine can send a DHCP request. But if the “local” machine is one I just walked in with, then the latter scheme is worthless.

Worse, you may think you’re protected, but in fact if I can get an IP address then I can access the Internet. I can send spam, child pornography, illegal media files or anything else I want – and have it look like it was your company doing the sending. Because, of course, it was. Additionally, I could most likely access your intranet portal and perhaps other services – certainly any that are available company-wide.

There is a way to prevent this scenario.

Infoblox – the people who brought you DNSone and RADIUSone, the appliances that help you create a network identity infrastructure – have just released Authenticated DHCP as a new module for the DNSone appliance. This is a simple yet elegant solution to the often overlooked problem described above.

With Authenticated DHCP, each device accessing the DHCP server is checked for its “digital fingerprint.” If it’s not found, the device is placed into what’s called a “quarantine” network and the user is asked to authenticate himself. If the authentication is successful, the device’s “fingerprint” is noted by DNSone and saved for future reference. But if the user can’t be authenticated, then the device isn’t allowed onto the corporate network.

The module is configurable as to what service will be used for authentication, and includes Active Directory (or any LDAP-compliant directory service) and Exchange Server (among a group of e-mail services).

Current Infoblox customers can download the module for free, and it will be included at no charge with future shipments of the products. Not a bad price for locking a back door you might not even know existed.