The process of controlling a DHCP server The beginning of security of the network

Source: Internet
Author: User
Keywords Network security DHCP server access security access parameters
Imagine a network virus infected by a common computer connected to the network, the corresponding system of the virus is likely to be transmitted over the network to other computers on the LAN. Such mutual transmission, infection, the entire network is bound to be the network virus serious attack, at this time the security of the network is naturally destroyed. To ensure network security, access to the network must be properly controlled to ensure that ordinary computers can be trusted to connect to the local network and access the Internet. So which ordinary computers can be trusted? Here, we can force ordinary computers to automatically obtain the IP address from the DHCP server, in the process of applying for IP address, the DHCP server is required to authenticate the legality of the common computer. If the computer can successfully pass the authentication, then the DHCP server can be the Internet parameter address, including IP address, gateway, DNS server, etc., allocated to this computer, so that can be trusted by ordinary computer systems can be normal access to the network. If the computer does not authenticate with the DHCP server, the corresponding system will not be able to obtain valid access parameters from the DHCP server, and these untrusted ordinary computers will not be able to connect to the local network at this time. As a result, the security of the local network is guaranteed. In the authentication of the client system, we can create the legality rule in the DHCP server, and configure the corresponding Internet parameters for the rule, including IP address, gateway, DNS server and so on, then design the legality mark for the client system. In this way, when a common computer requests an Internet parameter from a DHCP server, the legality rule in the DHCP server verifies the legality tag of the client system: If the client system is found to have no legitimacy tag or the mark cannot be validated by the legality rule, it will not be allocated valid Internet parameters; If the client system is validated by the legality rule, the Internet parameters under the corresponding rules can be automatically assigned to the target client system, and the normal computer can be connected to the local network. Create legitimacy rules in order to control the Internet security of the client system, the legality rule can be created in the DHCP server to authenticate the legality of the common computer. You can create a new DHCP user class at the DHCP server and require authentication of the user classes on the client system before you can respond to the client system's Internet requests. When you create a new DHCP user class, first, open the DHCP server host system's Start menu, select programs → administrative tools → DHCP commands, enter the DHCP server console interface, select the target host icon in the list on the left of the interface, and right-click the host icon, and select the Define user Class command or the Define Provider category command in the right-click menu to pop up the New User Class wizard window, as shown in Figure 1. In the wizard window, display nameLocation, enter a DHCP user class name, for example, to enter the user category name as "Hefa". For future management purposes, you can also describe the role of the user class, for example, by entering descriptive information such as "Controlling network access Security" at the description location. Of course, if the DHCP user class name is relatively small, you can not set descriptive information. Next, set the matching class ID of the legitimate computer at the ID location, for example, when we enter the "Hefa" information at the ASCII character position, the binary value at the corresponding ID position is the matching class ID of the legitimate computer. Later, the DHCP server verifies the legality of the generic computer through this matching class ID. After you confirm that the above settings are correct, click the OK button to save the setup action. Configure legitimate Internet parameters if the DHCP server finds that the matching class ID of the common computer system meets the requirements, it is considered legitimate. At this point, the target client system should be assigned valid and valid Internet parameters to ensure that the computer can be successfully connected to the local network. To do this, when we create a "HEFA" user class name, we should also configure the user class with legitimate Internet parameters to ensure that regular computers authenticated through the user class can request valid Internet parameters from the DHCP server. The following are the specific configuration steps: First, switch to the control interface of the DHCP server, expand the target host option in the left child pane of the interface, right-click Scope options, select the "Configure Options" command in the right-click menu, continue to select the Advanced tab in the pop-up interface, and open the Advanced Options Settings page. As shown in Figure 2. This is where you can assign IP addresses, default gateways, DNS servers, and so on to your legitimate computer, and you can set parameters such as the lease duration of an IP address. For example, to configure the Internet parameters for the Hefa user class, you can click the Drop-down button at the user category location, select the previously created "Hefa" user category from the Drop-down list, and then choose "003 Routers" from the list of available options. Enter the appropriate default gateway address in the Settings area below the corresponding option, and then click the Add button to complete the assignment of the default gateway. Then select the 006DNS server option, and in the Settings area below the option, enter the DNS server address provided by the ISP used for local network access, and then click the Add button to complete the DNS server allocation operation. Similarly, the 051 lease option can be selected to set the valid lease duration for dynamic IP addresses. If you want to modify a dynamic IP address for a normal computer, you must expand the address pool option under the target scope and modify the Internet IP address in the Settings page of the corresponding option, and then click OK to save the setup action when you have finished modifying it. Set the legitimacy tag to ensure that trusted ordinary computer systems can successfully pass DHThe legality authentication of the CP server should set the legality mark for those secure client system beforehand, ensure that the DHCP class ID name of the system conforms to the legality verification requirement. When you set the legality tag for your normal computer, you can select the start → Run command, turn on the client system's running text box, execute the CMD string command, and go to the MS-DOS working window of the corresponding system. Next, execute the "Ipconfig/setclassidlocalconnectionhefa" string command at the command prompt in the MS-DOS working window, so that you can successfully set the DHCP class ID name of the client system local connection to "Hefa" Marked. Control network access security in order for a common computer to accept the legality control of a DHCP server, it is mandatory to require the client system to actively connect to the DHCP server when accessing the Internet. This allows the DHCP server to automatically authenticate the legality of the Internet computer. To do this, in fact, is very simple, we can set the normal client system of the Internet parameters, so that it automatically obtain IP address. When you set up an automatic IP operation, open the client system's Start menu, select settings → network connections option, right-click the local connection icon in the Network connection list interface, and then perform the Properties command in the right-click menu to eject the Local Connection Properties Settings dialog box. Select the General tab in this dialog box, select this option to set the TCP/IP protocol options on the page, click the Properties button, open the Options Settings dialog box, select the options "Automatically obtain IP address", "Automatically obtain DNS server address," and click "OK" button. Performs a setup save operation. Later, when a normal computer containing the "HEFA" token attempts to connect to a DHCP server, the legality rule of the DHCP server considers the computer to be trustworthy and assigns the Internet parameters under the corresponding rule to the computer. With the Internet parameters, the computer system can be normal access to the local LAN, and those insecure ordinary computers because of the lack of access to the parameters of the network can not be connected, network security has been a certain guarantee.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.