DHCP usage policy
July 9, 2017
DHCP makes life easier for IT staff and employees, allowing computer systems and devices to quickly be connected to a network and given necessary access. The alternative of using permanent (or static) IP addresses is time consuming, but static IP addresses can be more secure. So despite the advantages of DHCP, it’s essential to reduce associated risks.
This policy provides guidelines for the secure and effective usage of DHCP in your organization. It assumes a working knowledge of DHCP configuration and administration. Implementation and management details will vary based based on product, so adhering to this policy also depends on knowledge of the DHCP products involved (Linux or Windows server-based, network device, etc.).
From the policy:
Only the IT department will set up/administer DHCP (with input from security, if needed). Maintaining/updating the policy will remain the responsibility of the IT/security departments or other designated individuals/groups.
Appropriate subnets/address ranges will be defined in advance for client use. These subnets and address ranges may be universal throughout the company or explicit for departments/job functions. For instance, developers may be assigned to one subnet and finance users another. Plan for growth and the need to expand capacity and factor this into a DHCP implementation. (Set up multiple class C subnets in advance if you expect that more than 250 or so clients will need IP addresses or consider a class B subnet, which can accommodate more hosts.)
DHCP subnets/IP ranges should be distinct between private (internal) and public (external, such as a wireless guest network) usage. For security purposes, these subnets or access to them should never overlap. The same principle applies to wired vs. wireless connections; keep them separate across the board.