David Szpunar: Lead Engineer, PC Help Services

David's Church Information Technology

March 2nd, 2007 at 12:51 am Print This Post Print This Post

DHCP Security?

Trace Pupke wonders about using DHCP or Static IPs on his network, especially in regards to DHCP security. We use DHCP, and I wouldn’t think about trying to manage static IPs, it would be a nightmare. Eventually my plan is to use the new HP ProCurve switches we just got (more coming about those sometime soon) to enforce either MAC-based port security, especially in publicly-accessible network ports, or to go all out and use 802.1x authentication just like I’ve partially implemented already on our wireless network so that only authorized users could connect to the port. Or even better, allow anyone to connect to the public network on a port, and if they authenticated with 802.1x as a staff member, give them staff level access instead. I know the switches we have now will do this, it’s just a bit complex to get set up, and moreso to make sure it’s reliable enough for real use, and that all clients are configured properly.

However, one thing that can be done easily if you are running DHCP on a Windows Server is to use DHCP User Classes set via a login script to only hand out valid IPs to computers that have been set correctly with the login script. This method could be worked around by someone who knew what to look for on an authorized computer (they could just examine the login script, in fact) and copied it on their own system, but it would keep casual users from having a usable IP address handed to them on a silver platter. If users are not local administrators, they would be unable to modify their domain-connected workstations and would be limited to the settings provided by the login script.

There used to be an excellent tutorial from an episode of the Casting from the Server Room podcast on their show notes wiki for that week showing how to set up a DHCP server and client with user classes, but they’ve had some issues with their ServerRoomWiki.com site and it’s currently down as I write this; I know they had to restore from a backup recently and I’m not sure if this is coming back or not. I did find some other references via the Google search in my last paragraph, including this (okay), this (better), or this (best of what I looked at).

There are a few technical steps to the setup of course, but it comes down to handing out bogus, or no, IP information by default unless a computer has a particular DHCP User Class set, which is configured via login and logout scripts so valid users, when they log in, are assigned a valid User Class and thus get the correct information from the DHCP server. Security goes as far as either forcing people to know what static IP range to use if they want an IP, or they could sniff the network (harder but doable with a switched network) for DHCP packets and look at the User Class that is being transmitted. Nothing like an air-gap, MAC-based access controls at the switch port level, 802.1x security with multiple VLANs, or, and air gap, but it might make the difference if you’re just choosing between static IPs and DHCP on a “trusted” network.

Another option, which could work alone or concurrently with DHCP User Classes, would be to use reservations for all DHCP clients. Then you would know what valid IPs were assigned and which were invalid because they didn’t have a reservation (or non-reserved IPs are excluded from the scope so the DHCP server can’t hand out a non-reserved IP), but you would still gain the benefits of centrally managing your IP addressing, making changes easier if necessary in the future. You would just need the MAC address of every authorized device, one time.

These are all things I’m considering to increase our security, alongside separate VLANs for public, staff, and some other sensitive networks (IP-based security cameras as well as our nursery check-in system get their own VLANs with firewalled routing from separate interfaces on our Microsoft ISA 2004 server). Although using all of these methods would be a helpful part of defense-in-depth, realistically I’m probably going to lean toward VLANs and firewalled routing to provide a lot of security, and use either MAC-based port access control and/or 802.1x authenticating to an IAS (Microsoft’s version of RADIUS) server for staff access security, especially for ports located in public areas.