Jump to content

DHCP Network Security Question

N1K

By N1K
in Windows 2000/2003/NT4

 Share

Recommended Posts

N1K

N1K

Posted
Posted

Hey guys,

I have a question.

Does any of you know how can I protect my network from unauthorized DHCP address leases. Here's a quick info about the network and situation.

1000< PC's with static IP addresses.

150< Laptops with DHCP addresses (mostly reserved IP's by MAC address)

I would like to know is there a way to protect my network by DHCP not aquiring IP's to unathorized laptops/PC's.

For instance, current situation is that DHCP provides IP's to anyone that connects to our network, and besides that he/she won't be able to access any of our network or domain resources, I'd like to prevent DHCP server leases for those laptops.

I know I can protect this with setting port security on the switch, but I'd like to know if this is possible in any other way?

Thx

Link to comment
Share on other sites

N1K

N1K

Posted
  • Author
Posted
DHCP will lease a IP for all requests for IP unless there are no IPs left to lease. I would go with static IPs or assign them via reservation only.

We have static IP's for PC desktops but have to use DHCP for laptops since we have a lot of people travelling to other locations of our company.

For example:

Mark is working at location A44300xx of our company and that's where he spends most of his working hours. At that location he gets reserved IP from DHCP (MAC Address). That IP is bounded with MAC address and a name of that laptop.

Ex.

Name of the laptop: A44300AB where 300 represent location subnet and AB is hex from dec IP (171). MAC would be xxxxx44300AB.

So I make a reservation for that laptop by his MAC Address and he'll always get that IP on his "mother" location.

When he goes to any other location, for instance A44500xx and connects his laptop to the network, he'll get a non-reserved IP address from local DHCP on that location. These range will be from 180 to 199 (last octet), since he has no reservation there.

That's the way we worked so far and it was doin' very good, but we have to enforce our security in various fields including DHCP leases.

Anyway thank you for your reply.

Link to comment
Share on other sites
Stoic Joker

Stoic Joker

Posted
Posted

Well it's kinda clumsy, but assuming your MAC reservations are sequential you could do an address exclusion for the unreserved block of addresses remaining in the scope.

btw I noticed your member title says MCSA W2k ... Aren't they (MS) retiring the MCSA 2k3 upgrade exam (70-292) the end of this year?

Link to comment
Share on other sites
N1K

N1K

Posted
  • Author
Posted
btw I noticed your member title says MCSA W2k ... Aren't they (MS) retiring the MCSA 2k3 upgrade exam (70-292) the end of this year?

Yes, I'll have to upgrade as fast as I can.. :sneaky:

As for the DHCP, our situation is clumsy since we have so many locations. I'm afraid there's not much we can do regarding DHCP issue. :}

Link to comment
Share on other sites
Stoic Joker

Stoic Joker

Posted
Posted

LOL Well...I'm in the same (MCSA 2k) boat, so good luck to both of us!

Can you give some details on how this DHCP lockdown requirement came about? How often is it causing how much of a problem etc.? Static addressing for 1000+ machines has got to be a nightmare.

Link to comment
Share on other sites
N1K

N1K

Posted
  • Author
Posted

Actually, we never had any security issues with our network, but recently we had a revision where we got requests to upgrade security in our company.

One of that security issues concern DHCP server.

We need to have at least 10-20 DHCP free leases at each location, depends on the size of location, and there's nothing much you can do with DHCP regarding its security since DHCP server security is often one of the most overlooked areas of network security. One reason for this might be the simplicity of how DHCP works: DHCP clients broadcast discovery messages (DHCPDISCOVER) containing their MAC addresses and DHCP servers respond by offering (DHCPOFFER) to lease an IP address and other TCP/IP settings that the client can use to communicate on the network. The client responds (DHCPREQUEST) to the first lease offer it receives and the server acknowledges (DHCPACK) the request and marks the address as leased in its DHCP database. That's all there is to it—who needs to worry about security?

Seems that only thing we can do is to secure door locks and prevent any unauthorized physical access to our network resources.

LOL Well...I'm in the same (MCSA 2k) boat, so good luck to both of us!

Can you give some details on how this DHCP lockdown requirement came about? How often is it causing how much of a problem etc.? Static addressing for 1000+ machines has got to be a nightmare.

Link to comment
Share on other sites
cluberti

cluberti

Posted
Posted
Actually, we never had any security issues with our network, but recently we had a revision where we got requests to upgrade security in our company.

One of that security issues concern DHCP server.

If MAC filtering isn't good enough, you're looking at 802.1x and a RADIUS server if you want additional security (802.1x will basically only allow EAPOL packets from a machine before it auths against the RADIUS server).

Link to comment
Share on other sites
N1K

N1K

Posted
  • Author
Posted
Actually, we never had any security issues with our network, but recently we had a revision where we got requests to upgrade security in our company.

One of that security issues concern DHCP server.

If MAC filtering isn't good enough, you're looking at 802.1x and a RADIUS server if you want additional security (802.1x will basically only allow EAPOL packets from a machine before it auths against the RADIUS server).

Thx Cluberti, RADIUS is one of the options, but we'll see about that.

Link to comment
Share on other sites
Stoic Joker

Stoic Joker

Posted
Posted
Actually, we never had any security issues with our network, but recently we had a revision where we got requests to upgrade security in our company.

One of that security issues concern DHCP server.

If MAC filtering isn't good enough, you're looking at 802.1x and a RADIUS server if you want additional security (802.1x will basically only allow EAPOL packets from a machine before it auths against the RADIUS server).

I could be way off base here...but desn't the 802.1x/RADIUS combo assume wireless access control? If sombody wandering about the building could toss a patch cable (we all carry them) into an open hardwired port and get an IP ...No?

While not as fancy, why not try using DHCP User or Vendor Class

I'm just thinking out loud here :)

Stoic Joker

Link to comment
Share on other sites
cluberti

cluberti

Posted
Posted
I could be way off base here...but desn't the 802.1x/RADIUS combo assume wireless access control?

You can do 802.1x on any port if the switch supports it - it's not limited to wireless, just most common there.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...