[NTLUG:Discuss] protecting the inside networks from visiting customers and vendors

[Richard]

I wanted to make the subject "protecting corporate networks from random 
acts of kindness" as a play on words to describe employees offering 
their network JACK to customers and vendors instead of requiring they go 
the firewalled customer/vendor segment.  I changed it to something more 
technically appropriate.

I'm considering configure a network so that only KNOWN hosts (mac 
addresses) can get an IP address.  I was looking at the "deny 
unknown-clients" directive and it seems that option is now only 
recommended inside a 'pool'.

So I got to thinking that maybe what I'd do is assign 'unknown-clients' 
to a SMALL range of addresses that are firewalled from the rest of the 
inside network.  This would allow me to 'authorized' hosts while helping 
to prevent others from circumventing the protection.

Add to this mix dynamic DNS.  If I'm specifying the hostname in a pool 
configuration, which hostname is added to the DNS record -- the hostname 
passed by the client's dhcpcd or the one listed in the pool configuration?

Does anyone else use the 'deny unknown-clients' option in conjunction 
with DDNS?

-- 
Richard