Networking

Can DHCP reservations improve network security?

A TechRepublic member recently posed the question of whether assigning DHCP reservations based on MAC addresses could improve network security. The answer was "yes." See why and what the qualifications are.

Problem

In the Technical Q&A, ztech123 posted, "I am curious, are there any security benefits to establishing DHCP reservations for clients on my network – I have about 30 – so that each machine would always get assigned the same IP based on MAC address. I've done it for the printers, and I'm considering it for the client machines, but I was unsure if it's a good move or not. I am trying to enhance security."

Solution

TechRepublic member voldar responded: "The only benefit is the following: if you use reservations for all your computers, and your IP's subnet range for lease by your DHCP is restricted to those 30 IP addresses, then no new computer will be able to connect to your network unless you give to it the rights to do that."

Another TechRepublic member, ewgny, added, "One security benefit that I can think of is that you may want to keep a grouping of workstations with contiguous IP addresses for firewall rules; for example, no outbound port 80 for 10.1.1.20 – 10.1.1.25. You could also prevent the DHCP server from giving out IP addresses by keeping your reservations in an exclusion zone and configuring DHCP not to distribute IP addresses past the exclusion zone. An unauthorized person trying to connect to your network would have to know the private IP range/subnet you are using to get onto your network. Although this alone doesn't give your network a high level of security, it makes it more difficult for hackers."

There are also two TechRepublic articles that help to answer this question and show how to best use DHCP reservations:


Note

The text of discussion posts from TechRepublic members has been slightly edited for spelling, punctuation, and clarity.


0 comments

Editor's Picks