General discussion

Locked

DHCP A Secuirty Issue?

By tmcclure ·
Hi Everyone. Our network uses static IP addressing. The techs I work with constantly complain about it. They think using DHCP will make their lives a lot easier. I on the other hand think DHCP is a serious secuirty issue.

Do you agree or disagree? If so why?

This conversation is currently closed to new comments.

9 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Depends

by NI70 In reply to DHCP A Secuirty Issue?

Whats your network topology? How many static IP addresses does your network currently use? Is your network an Active Directory Domain? DHCP will certainly make your techs lives easier. If using DHCP is a security concern, just make your network ports hot that have your company's computers connected to, and if you have a visitor that needs network access or Internet access make that specific port hot.

If you have WLAN, well thats another security issue in and of itself.

I've been involved with three networks over the years that have DHCP and I implemented DHCP on another. I believe I've even convinced our regional office to switch to DHCP.

Here's a couple of links you may find informative:
http://www.windowsecurity.com/articles/DHCP-Security-Part1.html
http://www.windowsecurity.com/articles/DHCP-Security-Part2.html

Collapse -

in only one way

by Jaqui In reply to DHCP A Secuirty Issue?

can dhcp be a security issue.
if every router is setup to forward the request to the next outer server, then your isp will get lots of dhcp requests.
if they wanted to show you why this is a bad idea, they could send your requests to someone else's dhcp server, locking your workstations out of your local network.

in other words, no it isn't.
dhcp is a nic asking for config data. the network connection is not active until it gets the ip number. the dhcp server will have to be limited to not respond to external requests.

but the protocal itself is no more a risk than using static ip's

Collapse -

routers

by NI70 In reply to in only one way

Jaqui

I hadn't thought of the router being an issue, cause our WAN manager handles the routers, I'm not allowed into the router IOS.

Now if tmcclure set up a NAT router with DHCP and private IP addresses, wouldn't that solve his question about DHCP being insecure?

Collapse -

yup..

by Jaqui In reply to routers

since the routers are defaulted to not transmitting a dhcp request outwards but have a dhcp server in them to respond to such requests, it would take effort to make them insecure.
but that would be the only insecurity with dhcp.
a intentional breach that takes a lot of work to accomplish.

Collapse -

Network topology

by tmcclure In reply to routers

My network is a Frame Relay WAN spread out throughout the state.

The securty guys say I should track my MAC addresses and use ACL and secure unused cable drops. Sounds like more work to me.

Collapse -

AD domain?

by NI70 In reply to Network topology

Are you running an AD domain? Do you have member servers at each remote office? If so, set these up as DHCP servers and subnet your IP addresses. I'm not up to snuff on configuring routers, but have taken one CCNA college course. It would seem to me that once you have your ACL in place (I would think you'd be able to have a range of IPs for that specific router/LAN), it shouldn't be much work maintaining your network.

Collapse -

NOS

by tmcclure In reply to AD domain?

We are primarily a Novell network. We have several Win2k3 servers running Citrix. But do not use Acitve Directory. All though, and tell me if I am crazy, we are thinking of migrating to Microsoft.

Collapse -

Anything can be a security risk...

by j_bomberry In reply to DHCP A Secuirty Issue?

Anything can be a security risk if not done properly. DHCP itself would not be the weakpoint in your network's security. Your Active Directory setup is. If I gain entry to your office with my laptop and plug into a free network jack, I will not be able to get data from any network resources without a AD login and password. Even if I did have a login I would be limited to the shares that the login has access to. Even with static ip addressing you are just as vulnarable. All I would need to do is sniff the network for an ip and mac address, spoof my mac address on my laptop, set my ip address to the correct ip that I just sniffed and I am on the network. The software to do those things are readily availble on the internet. In fact in my security+ class we actually use those apps to see how easy it would be for someone to compromise your network. But back to DHCP, you can use DHCP reservation to only allow ip's for the right computer. But it is quite easy for a hacker to make their laptop the "right computer". So in my opinion, done correctly, DHCP is no riskier than static. Reducing your risk involves many layers of security from locks on doors to mac filtering to password policies and so on.

Collapse -

From Zreg

by Kondyiak In reply to DHCP A Secuirty Issue?
Back to Security Forum
9 total posts (Page 1 of 1)  

Related Discussions

Related Forums