Using DHCP to separate activity?

Is it possible, within Windows DHCP (Windows Server 2003 R2 SP2), to
specify a range for wired clients and a separate range for wireless
clients?

Background: a small organization, two servers (both domain
controllers), one running DHCP. Client systems connected to this
network fall in three categories:


1. Permanently wired desktop systems for office workers, members of
the domain.
2. Wireless notebook systems for office workers, members of the
domain.
3. Guest laptops needing Internet connectivity only, not members of
the domain, wirelessly connected.


All three client types will be getting their addresses from DHCP. I
was thinking of disabling DHCP services on the wireless router
(Linksys) altogether. I wanted to specify a range of IP's, perhaps
even on a different subnet for the wireless clients to keep them as
separated as possible from the domain. Then create reservations for
the couple of laptops that are domain members, assuming that would
supercede whatever rules could be established to force wireless
guests
to a different range/subnet.


I'm supporting a VERY small, non-profit organization with not much of
a budget for this kind of work.
Most of the equipment I have at my disposal is either old, borrowed,
or was obtained cheaply/free. Labor to design and implement whatever
I come up with will be donated. Sparing me the "you get what you pay
for"
anecdotes...what's the most efficient way to accomplish separating
guest wireless connections that need Internet access only, from
legitimate office workers on both wired desktops and wireless
laptops? I cringe at the idea of trusting the Linksys router for
network security, but perhaps I'll need to do that if I can't
separate
things out a little via DHCP.

Perhaps DHCP is not the tool to attempt isolation/segregation with.
But GPO's/IPsec will only apply to members of the domain and guests
will only interact with resources on the LAN at the level of the
router and DHCP server. I don't have too many other options right
now. The only networking equipment I have at my disposal is A) a DSL
modem, B) a wireless Linksys router, and C) a small 6-8 port switch
with little to no onboard intelligence (doubtful any VLAN
capabilities). No DMZ, no ISA, no proxy, no dedicated firewalls,
etc.

Ideas? Suggestions? I'm open to anything at this point. I'm just
beginning the design phase.

Thanks in advance.

Merv
Wed Mar 26 13:55:22 PDT 2008

A few thoughts...

I think the cheapest/easiest way to approach this, while maintaining
reasonable security, is to put a second NIC in the SBS server and purchase a
cheap wireless router (Linksys WRT54G, less than $45). I know it means
spending money, but, as you mentioned, you need to get the guest wireless
devices outside of the domain. The second NIC might be one that's been
pulled from an older machine. Many of these are compatible with Windows
Server 2003 even if they are on the HCL (Hardware Compatibility List) for
Win2003.

Change the current router's LAN IP address to a different subnet (like
192.168.10.1). You could then connect the current router to the second NIC
(IP = 192.168.10.x), re-run CEICW, enable the firewall, select your services
and then complete the rest of CEICW. The addition of the second NIC in the
SBS server will separate your LAN from your current router. You can then
use this router for guest web access.

Two Nics, a dynamic IP address, ISA and a router
(diagram works with or without ISA)
http://www.smallbizserver.net/Articles/tabid/266/articleType/ArticleView/articleId/74/Two-Nics-a-dynamic-IP-address-ISA-and-a-router.aspx

Back to the SBS, re-running CEICW will set it up as the DHCP server for the
LAN. You would then configure the new Linksys WRT54G as an access point for
internal (LAN) wireless devices.

Cascading (Connecting) a Linksys Router to Another Linksys Router
Subsection: Cascading the Linksys Router to Another Linksys Router
(LAN-LAN)
http://linksys.custhelp.com/cgi-bin/linksys.cfg/php/enduser/std_adp.php?p_faqid=3733&p_created=1152002311&p_sid=EQrnOH_i&p_accessibility=0&p_lva=3733&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PSZwX2dyaWRzb3J0PSZwX3Jvd19jbnQ9MTM4NCZwX3Byb2RzPTAmcF9jYXRzPTAmcF9wdj0mcF9jdj0mcF9zY2ZfbGFuZz0xJnBfcGFnZT0xJnBfc2VhcmNoX3RleHQ9Q2FzY2FkaW5nIChDb25uZWN0aW5nKSBhIExpbmtzeXMgUm91dGVyIHRvIEFub3RoZXIgTGlua3N5cyBSb3V0ZXI*&p_li=&p_topview=1

In this case, the new router would be connected to the switch (where the SBS
server and LAN workstations are connected)

WRT54G Emulator
http://ui.linksys.com/files/WRT54G/v8/8.00.0/

WRT54G Router (Amazon.com)
http://www.amazon.com/Linksys-WRT54G-Wireless-G-Router/dp/B00007KDVI


--
Merv Porter [SBS-MVP]
============================

"Bazooka-Joe" <bazooka-joe@comcast.net> wrote in message
news:ecfb63a4-3dc3-43b5-9b7d-1f27c9d55f88@d21g2000prf.googlegroups.com...
> Is it possible, within Windows DHCP (Windows Server 2003 R2 SP2), to
> specify a range for wired clients and a separate range for wireless
> clients?
>
> Background: a small organization, two servers (both domain
> controllers), one running DHCP. Client systems connected to this
> network fall in three categories:
>
>
> 1. Permanently wired desktop systems for office workers, members of
> the domain.
> 2. Wireless notebook systems for office workers, members of the
> domain.
> 3. Guest laptops needing Internet connectivity only, not members of
> the domain, wirelessly connected.
>
>
> All three client types will be getting their addresses from DHCP. I
> was thinking of disabling DHCP services on the wireless router
> (Linksys) altogether. I wanted to specify a range of IP's, perhaps
> even on a different subnet for the wireless clients to keep them as
> separated as possible from the domain. Then create reservations for
> the couple of laptops that are domain members, assuming that would
> supercede whatever rules could be established to force wireless
> guests
> to a different range/subnet.
>
>
> I'm supporting a VERY small, non-profit organization with not much of
> a budget for this kind of work.
> Most of the equipment I have at my disposal is either old, borrowed,
> or was obtained cheaply/free. Labor to design and implement whatever
> I come up with will be donated. Sparing me the "you get what you pay
> for"
> anecdotes...what's the most efficient way to accomplish separating
> guest wireless connections that need Internet access only, from
> legitimate office workers on both wired desktops and wireless
> laptops? I cringe at the idea of trusting the Linksys router for
> network security, but perhaps I'll need to do that if I can't
> separate
> things out a little via DHCP.
>
> Perhaps DHCP is not the tool to attempt isolation/segregation with.
> But GPO's/IPsec will only apply to members of the domain and guests
> will only interact with resources on the LAN at the level of the
> router and DHCP server. I don't have too many other options right
> now. The only networking equipment I have at my disposal is A) a DSL
> modem, B) a wireless Linksys router, and C) a small 6-8 port switch
> with little to no onboard intelligence (doubtful any VLAN
> capabilities). No DMZ, no ISA, no proxy, no dedicated firewalls,
> etc.
>
> Ideas? Suggestions? I'm open to anything at this point. I'm just
> beginning the design phase.
>
> Thanks in advance.

J
Wed Mar 26 14:09:17 PDT 2008

This is a Small Business Server NG. Are you running SBS? If so, is it
Standard or Premium?

One of my clients is branch office for a national company. When home
office visitors come in with their laptops, we let them have guest
access to the Internet. This is how (using SBS 2003 Premium):

1. The wireless access point does not provide IP addresses.

2. DHCP has address reservations matched to the MAC addresses on the
visitors' laptops and assigns these to a specific range of IPs. (This is
the maintenance part. When a new laptop is introduced, we have to add a
reservation for its MAC address.)

3. The address range used by the reservation is set up as a Computer Set
in ISA Server. Then we add a rule for that computer set that allows
HTTP and HTTPS traffic. We give this rule a weekday daytime only
schedule. Oh, and we leave this rule disabled when no visitors are in town.

I have another client that allows limited wireless access to visitors,
but the wireless access point is between the firewall appliance and
external interface of the SBS box. So in that scenario, wireless
clients must use VPN access if they want into the internal network.
Visitors have easy access to the Internet.

BTW in both cases, the clients are using G only WPA2 encryption.

Personally, I am more comfortable with the 2nd scenario's security than
the first.

Joe

Bazooka-Joe wrote:
> Is it possible, within Windows DHCP (Windows Server 2003 R2 SP2), to
> specify a range for wired clients and a separate range for wireless
> clients?
>
> Background: a small organization, two servers (both domain
> controllers), one running DHCP. Client systems connected to this
> network fall in three categories:
>
>
> 1. Permanently wired desktop systems for office workers, members of
> the domain.
> 2. Wireless notebook systems for office workers, members of the
> domain.
> 3. Guest laptops needing Internet connectivity only, not members of
> the domain, wirelessly connected.
>
>
> All three client types will be getting their addresses from DHCP. I
> was thinking of disabling DHCP services on the wireless router
> (Linksys) altogether. I wanted to specify a range of IP's, perhaps
> even on a different subnet for the wireless clients to keep them as
> separated as possible from the domain. Then create reservations for
> the couple of laptops that are domain members, assuming that would
> supercede whatever rules could be established to force wireless
> guests
> to a different range/subnet.
>
>
> I'm supporting a VERY small, non-profit organization with not much of
> a budget for this kind of work.
> Most of the equipment I have at my disposal is either old, borrowed,
> or was obtained cheaply/free. Labor to design and implement whatever
> I come up with will be donated. Sparing me the "you get what you pay
> for"
> anecdotes...what's the most efficient way to accomplish separating
> guest wireless connections that need Internet access only, from
> legitimate office workers on both wired desktops and wireless
> laptops? I cringe at the idea of trusting the Linksys router for
> network security, but perhaps I'll need to do that if I can't
> separate
> things out a little via DHCP.
>
> Perhaps DHCP is not the tool to attempt isolation/segregation with.
> But GPO's/IPsec will only apply to members of the domain and guests
> will only interact with resources on the LAN at the level of the
> router and DHCP server. I don't have too many other options right
> now. The only networking equipment I have at my disposal is A) a DSL
> modem, B) a wireless Linksys router, and C) a small 6-8 port switch
> with little to no onboard intelligence (doubtful any VLAN
> capabilities). No DMZ, no ISA, no proxy, no dedicated firewalls,
> etc.
>
> Ideas? Suggestions? I'm open to anything at this point. I'm just
> beginning the design phase.
>
> Thanks in advance.

Merv
Wed Mar 26 15:24:37 PDT 2008

Good catch Joe. I missed that he might not be using SBS.

--
Merv Porter [SBS-MVP]
============================

"J. M. De Moor" <papajoe.nospam@nospam.net> wrote in message
news:%23a8erW4jIHA.6092@TK2MSFTNGP06.phx.gbl...
> This is a Small Business Server NG. Are you running SBS? If so, is it
> Standard or Premium?
>
> One of my clients is branch office for a national company. When home
> office visitors come in with their laptops, we let them have guest access
> to the Internet. This is how (using SBS 2003 Premium):
>
> 1. The wireless access point does not provide IP addresses.
>
> 2. DHCP has address reservations matched to the MAC addresses on the
> visitors' laptops and assigns these to a specific range of IPs. (This is
> the maintenance part. When a new laptop is introduced, we have to add a
> reservation for its MAC address.)
>
> 3. The address range used by the reservation is set up as a Computer Set
> in ISA Server. Then we add a rule for that computer set that allows HTTP
> and HTTPS traffic. We give this rule a weekday daytime only schedule.
> Oh, and we leave this rule disabled when no visitors are in town.
>
> I have another client that allows limited wireless access to visitors, but
> the wireless access point is between the firewall appliance and external
> interface of the SBS box. So in that scenario, wireless clients must use
> VPN access if they want into the internal network. Visitors have easy
> access to the Internet.
>
> BTW in both cases, the clients are using G only WPA2 encryption.
>
> Personally, I am more comfortable with the 2nd scenario's security than
> the first.
>
> Joe
>
> Bazooka-Joe wrote:
>> Is it possible, within Windows DHCP (Windows Server 2003 R2 SP2), to
>> specify a range for wired clients and a separate range for wireless
>> clients?
>>
>> Background: a small organization, two servers (both domain
>> controllers), one running DHCP. Client systems connected to this
>> network fall in three categories:
>>
>>
>> 1. Permanently wired desktop systems for office workers, members of
>> the domain.
>> 2. Wireless notebook systems for office workers, members of the
>> domain.
>> 3. Guest laptops needing Internet connectivity only, not members of
>> the domain, wirelessly connected.
>>
>>
>> All three client types will be getting their addresses from DHCP. I
>> was thinking of disabling DHCP services on the wireless router
>> (Linksys) altogether. I wanted to specify a range of IP's, perhaps
>> even on a different subnet for the wireless clients to keep them as
>> separated as possible from the domain. Then create reservations for
>> the couple of laptops that are domain members, assuming that would
>> supercede whatever rules could be established to force wireless
>> guests
>> to a different range/subnet.
>>
>>
>> I'm supporting a VERY small, non-profit organization with not much of
>> a budget for this kind of work.
>> Most of the equipment I have at my disposal is either old, borrowed,
>> or was obtained cheaply/free. Labor to design and implement whatever
>> I come up with will be donated. Sparing me the "you get what you pay
>> for"
>> anecdotes...what's the most efficient way to accomplish separating
>> guest wireless connections that need Internet access only, from
>> legitimate office workers on both wired desktops and wireless
>> laptops? I cringe at the idea of trusting the Linksys router for
>> network security, but perhaps I'll need to do that if I can't
>> separate
>> things out a little via DHCP.
>>
>> Perhaps DHCP is not the tool to attempt isolation/segregation with.
>> But GPO's/IPsec will only apply to members of the domain and guests
>> will only interact with resources on the LAN at the level of the
>> router and DHCP server. I don't have too many other options right
>> now. The only networking equipment I have at my disposal is A) a DSL
>> modem, B) a wireless Linksys router, and C) a small 6-8 port switch
>> with little to no onboard intelligence (doubtful any VLAN
>> capabilities). No DMZ, no ISA, no proxy, no dedicated firewalls,
>> etc.
>>
>> Ideas? Suggestions? I'm open to anything at this point. I'm just
>> beginning the design phase.
>>
>> Thanks in advance.

Russ
Wed Mar 26 15:43:40 PDT 2008

Have a look at ZONECD
http://www.publicip.net/

Might be what you want

Russ

--

SBITS.Biz
Microsoft Gold Certified Partner
Microsoft Certified Small Business Specialist.
MCP, MCPS, MCNPS, (MCP-SBS)
North America Remote SBS2003 Support - http://www.SBITS.Biz
Information on Small Business Server 2008 - http://www.sbs2008.com
Information on Essentials Business Server - http://www.ebs2008.com



-

"Bazooka-Joe" <bazooka-joe@comcast.net> wrote in message
news:ecfb63a4-3dc3-43b5-9b7d-1f27c9d55f88@d21g2000prf.googlegroups.com...
> Is it possible, within Windows DHCP (Windows Server 2003 R2 SP2), to
> specify a range for wired clients and a separate range for wireless
> clients?
>
> Background: a small organization, two servers (both domain
> controllers), one running DHCP. Client systems connected to this
> network fall in three categories:
>
>
> 1. Permanently wired desktop systems for office workers, members of
> the domain.
> 2. Wireless notebook systems for office workers, members of the
> domain.
> 3. Guest laptops needing Internet connectivity only, not members of
> the domain, wirelessly connected.
>
>
> All three client types will be getting their addresses from DHCP. I
> was thinking of disabling DHCP services on the wireless router
> (Linksys) altogether. I wanted to specify a range of IP's, perhaps
> even on a different subnet for the wireless clients to keep them as
> separated as possible from the domain. Then create reservations for
> the couple of laptops that are domain members, assuming that would
> supercede whatever rules could be established to force wireless
> guests
> to a different range/subnet.
>
>
> I'm supporting a VERY small, non-profit organization with not much of
> a budget for this kind of work.
> Most of the equipment I have at my disposal is either old, borrowed,
> or was obtained cheaply/free. Labor to design and implement whatever
> I come up with will be donated. Sparing me the "you get what you pay
> for"
> anecdotes...what's the most efficient way to accomplish separating
> guest wireless connections that need Internet access only, from
> legitimate office workers on both wired desktops and wireless
> laptops? I cringe at the idea of trusting the Linksys router for
> network security, but perhaps I'll need to do that if I can't
> separate
> things out a little via DHCP.
>
> Perhaps DHCP is not the tool to attempt isolation/segregation with.
> But GPO's/IPsec will only apply to members of the domain and guests
> will only interact with resources on the LAN at the level of the
> router and DHCP server. I don't have too many other options right
> now. The only networking equipment I have at my disposal is A) a DSL
> modem, B) a wireless Linksys router, and C) a small 6-8 port switch
> with little to no onboard intelligence (doubtful any VLAN
> capabilities). No DMZ, no ISA, no proxy, no dedicated firewalls,
> etc.
>
> Ideas? Suggestions? I'm open to anything at this point. I'm just
> beginning the design phase.
>
> Thanks in advance.

Joe
Wed Mar 26 17:18:34 PDT 2008

Bazooka-Joe wrote:
> Is it possible, within Windows DHCP (Windows Server 2003 R2 SP2), to
> specify a range for wired clients and a separate range for wireless
> clients?
>
> Background: a small organization, two servers (both domain
> controllers), one running DHCP. Client systems connected to this
> network fall in three categories:
>
>
> 1. Permanently wired desktop systems for office workers, members of
> the domain.
> 2. Wireless notebook systems for office workers, members of the
> domain.
> 3. Guest laptops needing Internet connectivity only, not members of
> the domain, wirelessly connected.
>
>
> All three client types will be getting their addresses from DHCP. I
> was thinking of disabling DHCP services on the wireless router
> (Linksys) altogether. I wanted to specify a range of IP's, perhaps
> even on a different subnet for the wireless clients to keep them as
> separated as possible from the domain. Then create reservations for
> the couple of laptops that are domain members, assuming that would
> supercede whatever rules could be established to force wireless
> guests
> to a different range/subnet.
>
>
> I'm supporting a VERY small, non-profit organization with not much of
> a budget for this kind of work.
> Most of the equipment I have at my disposal is either old, borrowed,
> or was obtained cheaply/free. Labor to design and implement whatever
> I come up with will be donated. Sparing me the "you get what you pay
> for"
> anecdotes...what's the most efficient way to accomplish separating
> guest wireless connections that need Internet access only, from
> legitimate office workers on both wired desktops and wireless
> laptops? I cringe at the idea of trusting the Linksys router for
> network security, but perhaps I'll need to do that if I can't
> separate
> things out a little via DHCP.
>
> Perhaps DHCP is not the tool to attempt isolation/segregation with.

No, it isn't. If you really mean 'segregation', then you mean that you
suspect that some kind of malicious user or malware may abuse your
hospitality. DHCP is not a suitable tool to prevent that. A NIC can have
more than one IP address, and I don't believe that SBS can discriminate
between users on the basis of DHCP allocations.

> But GPO's/IPsec will only apply to members of the domain and guests
> will only interact with resources on the LAN at the level of the
> router and DHCP server. I don't have too many other options right
> now. The only networking equipment I have at my disposal is A) a DSL
> modem, B) a wireless Linksys router, and C) a small 6-8 port switch
> with little to no onboard intelligence (doubtful any VLAN
> capabilities). No DMZ, no ISA, no proxy, no dedicated firewalls,
> etc.
>
> Ideas? Suggestions? I'm open to anything at this point. I'm just
> beginning the design phase.
>
As you probably suspect, the only real answer is two separate wireless
networks, with the guest one being quite definitely on the wrong side of
a firewall. Measures need to be taken to prevent wireless clients
connecting to the 'secure' wireless access point. WPA and MAC address
specification may be enough if you do not expect to deal with seriously
malicious humans, otherwise the SBS IAS server and a RADIUS-aware
wireless access point are necessary.

An SBS with two NICs is an adequate firewall for these purposes. Along
with a second wireless router, this really is the irreducible minimum of
hardware for security in the situation you describe. Sorry. While your
position has very little funding available, it may well be one which
could be targeted by the bad guys for that very reason.

Personally, I would simply not permit guest wireless access. With a
second NIC in the SBS and a small hub or switch, at a fairly minimal
cost, this allows wired guest Internet access without disturbing the
main network. There would still need to be some measures to prevent
guests connecting to the wireless access point, and those would depend
on the expected sophistication of the potential abusers.

Quite a lot of security can be obtained by requiring non-organisation
people to sit in a particular area and plug their laptops into a hub,
and at the same time it can be easily justified by the small budget
available and the legal restrictions on data security on the main
network that you must comply with.