Web-Based DHCP Server Frontends? 36
Strog writes "We are securing our administrative network and one thing we decided to implement is allowing only known MAC addresses get an address from the DHCP server. The techs aren't very Unix-centric so we would prefer to keep them out of the server directly. A web-based admin tool is what we are looking for. I've used webmin for a while but it likes to give each host a nice little icon which wouldn't be so good once we get all ~750 machines entered. Dixie looks good too but leaves a few too many options for techs to look at. I'm in the process of hacking webmin into what I need but wondered if anyone out there has some good options to offer. What we really need is boxes for hostname, MAC address and apply button and a list of current entries and a delete button." This was recently asked on a mailing list, but so far, no answers have been given. Might someone here have experience with such software that they would like to share?
Webmin's DHCP Module (Score:1)
same problem with DNS updates (Score:1)
Most sites I've seen roll their own database for this sort of thing. You get then change management form (signed by the appropriate person) and a non-techie puts in the changes to a little app. The app updates the database and the database updates the DNS/DHCP settings....
Not very helpful, but there you go..
Perl (Score:3, Insightful)
Re:Perl (Score:1)
I realize a good perl script could do this and would write one if that's what it takes. I was asking about solutions others have done.
It's nice to reuse existing code. You get something that has been tested more thoroughly and had the bugs shaken out(mostly at least). It's nice to see proven error trapping and what does and doesn't work. Why should you go through all the trouble of writing a new program and the downtimes when it needs more debugging when someone has already gone through this and is sharing their results?
Your comment could as easily said python, php, monkeys with typewriters, etc. but it really wouldn't have added too much to the discussion. What would you do with your perl script, how would you go about structuring it, what kind of error checking? These would be better comments to add.
webmin doesnt have to show icons (Score:2, Informative)
Display subnets and hosts as _ Icons _ List
If you set this option to list, webmin wil not display an icon for each host. Further more, if you have a large number of DHCP clients, you may also want to use groups to help organize some of those clients into smaller lists.
Re:webmin doesnt have to show icons (Score:2, Informative)
Goto your theme directory and put noicons=1 in the config file (/usr/share/webmin/themename/config in my system). This gives icons in the categories but none in the module itself. This looks like it will scale up to hundreds of entries with ease. I have 150 in my test machine now and you don't have to scroll much yet.
I'm editing out all the unneeded fields and buttons in the cgi files now. Mostly consists of rem'ing out the print statements in the index.cgi, edit_host.cgi and params-lib.pl files so far. I've got the buttons down to create, save, delete and apply.
I can't seem to get rid lease time, dynamic DNS and a couple other options without it breaking. It tries to send a null instead of going with the default. It's really in a workable state for us right now but I'd love to get it down to our 2 boxes we want and nothing else.
It is said that 10% of the project takes 90% of the time. Looks like it is holding up here on this project for me.
FYI... (Score:2)
Re:FYI... (Score:1)
This is just one piece to the puzzle. The problem is most of the puzzle pieces are in other people's hands.
re: DHCP thing (Score:1)
This just sounds like the dhcp manager (/usr/sadm/admin/bin/dhcpmgr) which ships with Solaris 8/9...but it's a java application and not web based (well ssh X tunneling, exporting Display and xhost + is sort of web based isn't it??
Re: DHCP thing (Score:1)
An icon? is that all? (Score:2)
Re:An icon? is that all? (Score:1)
I was really looking for other solutions that might be a better starting point. I also would like to hear from others that have already done it and what snags they might have run into.
Re:NameSurfer (Score:1)
How not cheap is it? few hundred, couple thousand or more?
The website doesn't seem to give too much info.
Coding (Score:2)
If you can't do it, go to a secondary school and get someone to write the program for you.
Re:Coding (Score:1)
I was looking for other people's experience to draw from. I want to know if someone has done it before and the good, bad, otherwise they ran into as it scales up. One of the best things about the internet and open source is the wealth of resources and collaboration that is possible.
It's shame we have people locked in the basement whining about stuff instead of giving real input. Ask Slashdot could be a valuable resource. Sure there's a lot of dumb questions being asked e.g."I bought my first computer last week. How do I migrate a 6,000 computer datacenter without any downtime?". The "Ask Google", "code it yourself", "why can't you code?" and "Perl/PHP/GPL/BSD/Linux/OSX wars" comments really don't add anything productive to what could be a good sharing of ideas and experiences.
Perhaps you were just trolling?
Re:Coding (Score:2)
Re:Coding (Score:2)
Re:Coding (Score:1)
If questions on administering a server in an enterprise enviroment isn't useful then what is?
I thought the really useful ones ended up on the front page.
Perhaps the following?
Jobs for Moonlighting Geeks? [slashdot.org]
Inexpensive Alternatives for ICANN Disputes? [slashdot.org]
Secure Digital vs. Multimedia Cards [slashdot.org]
Kick-Starting a Software Export Business? [slashdot.org]
What Protections Exist for Parody Sites? [slashdot.org]
Is CRT Burn-In Still a Problem? [slashdot.org]
Two major problems (Score:3, Insightful)
First off, you have a catch-22 in the assignment system. You don't want to give a DHCP address to a system without its being authenticated, but your system won't be able to hit the net and get to the administrative machine to BE authenticated. Aside from manually typing in the MAC address on the main server, which I think someone would find annoying. I suppose you could DHCP unrecognized machines to an intranet address that's null-routed except for that admin machine, which would ask for a password, sniff the MAC address, and then add it to the DHCP system.
But there's an even larger flaw with your scheme, which is that there's nothing keeping users from turning off DHCP and choosing an unassigned IP, letting anyone with a little know-how hijack your connection without going through your authentication and possibly cause conflicts on your network. DHCP is MEANT to be easy; add complications and you've ruined the whole point of having it.
If you want to have a secure network, you're going to have to use a whole different system, such as using a protocol like PPPoE (unencrypted) or PPTP (encrypted) to log in to a central station and then have that machine handle routing, etc. From an ease-of-use standpoint, this would be a lot simpler, both for end users and your inexpert managers; they add a name and password to the list, and each user needs his name and password to log in. If someone changes hardware, no problem.
Re:Two major problems (Score:1)
We have an automated inventory system that we can get a list of authorized MAC addresses parsed into the list. The web interface would be for add, change and deletes. The individual tech responsible for their campus would be entering that and would only be a handful on a regular basis. Large purchases would be a pain though.:-(
The other issues are going to be handled in hardware solutions or so I'm told. Yes, fixed IPs need to be watched out for. I'd love to run IPSec on critical systems but it's not my call.
Re:Two major problems (Score:2)
Then your answer is clear. Push for the board to look at the solutions other colleges have used, tell them that the others have already solved all the problems they're about to face, and they should adopt a complete package instead of trying to roll their own. Kerberos would do really well, and it'd be free.
Re:Two major problems (Score:1)
Kerberos would complement what we are doing here quite well and will likely be the next part to the puzzle that is our network. It wouldn't necessarily replace everything else.
One problem is the database on a Tru64 box. It is maintained by the software vendor that doesn't support deviations from the normal way they do things. They are more concerned about things that aren't security related and security isn't even close to what it should be. The clients connect to it using telnet protocol (real secure there) using a proprietary client. Perhaps we can use stunnel [stunnel.org] or some other method of tunneling, etc. to externally secure the traffic but that might take more time and money than they are willing to provide.
The MIS dept tries to work around these issues with management of switches, routers, etc. and access lists and other methods to try to limit the issues. Yes the MAC addresses could be worked around but it is a step in the right direction. I appreciate the input, keep it coming.
Re:Two major problems (Score:2)
NetReg (Score:2, Informative)
http://www.netreg.org
Re:NetReg Advertisment? (Score:1)
Dont bother (Score:2)
DHCP "security" by only giving addresses to known mac addresses doesn't buy you anything. Anyone can still plug in and grab an address statically anyways. The only way to enforce this would be a manual static arp table in every machine (including the router) and disable true arp, and at that point you may as well stop using DHCP too. Even then you still have to take other measures to make it really work.
Just run plain old wide-open DHCP, and implement network policy where it belongs - at the L3 devices like firewalls, L3 switches, routers - and in user AAA, be it windows domain logon, LDAP, or what have you.
Use your switches (Score:1)
There are exceptions to this for development machines etc. so we can swap boxes around etc.
Geez, why even use DHCP? (Score:2)
Re:Geez, why even use DHCP? (Score:1)
It allows you to base automated system modifications for lab machines on IP address.
It allows, in a lab situation where configs can't be modified, an easy way to identify which machines was doing what without having to get into more complicated campus-wide monitoring of things like MAC addresses.
There are a whole swathe of useful things using DHCP but still tying specific machines to specific addresses allows. Having said that, security is not really on of them.
Re: (Score:2)