DHCP security

Hello,
I currently admin a small network of about 12 clients, all with fixed
ip schemas. Since this network is only growing to include more and more
clients I was thinking of using a DHCP server to handle ip
configuration on new clients. Ive already got that working. But my main
concern is how do you stop a rogue DHCP server from getting on the
network and giving fake information to some clients? And how about
unauthorized clients?

Any ideas? thanks.

danielv wrote:
> Hello,
> I currently admin a small network of about 12 clients, all with fixed
> ip schemas. Since this network is only growing to include more and more
> clients I was thinking of using a DHCP server to handle ip
> configuration on new clients. Ive already got that working. But my main
> concern is how do you stop a rogue DHCP server from getting on the
> network and giving fake information to some clients? And how about
> unauthorized clients?
>
> Any ideas? thanks.


The later part is easy:

host me { hardware ethernet 00.11.22.33.44.55.66; }

subnet .... {
deny unknown-clients;
...
}

If you like, you can put in a fixed-address statement on each host
statement, so in that case you've made static networking configurations
and simply moved them all to the same computer.

The rogue DHCP server could be a problem for a small network, but at
least you won't have hundreds of machines to check over if it happens.

On 2 Aug 2006 07:21:50 -0700, danielv <dvhirt@gmail.com> wrote:
> Hello,
> I currently admin a small network of about 12 clients, all with fixed
> ip schemas. Since this network is only growing to include more and more
> clients I was thinking of using a DHCP server to handle ip
> configuration on new clients. Ive already got that working. But my main
> concern is how do you stop a rogue DHCP server from getting on the
> network and giving fake information to some clients? And how about
> unauthorized clients?
>
> Any ideas? thanks.

It's difficult, because DHCP is a broadcast protocol. The way I've done it
is to have the servers on one physically-protected network and everything
else on one or more other networks. This allows you to do DHCP forwarding
on the switches (assuming they're managed), which you can setup to only
point to a server in the protected network.

--
-- Skylar Thompson (skylar@cs.earlham.edu)
-- http://www.cs.earlham.edu/~skylar/

Thanks for the replies, I'll look into that.

Skylar Thompson wrote:
> On 2 Aug 2006 07:21:50 -0700, danielv <dvhirt@gmail.com> wrote:
> > Hello,
> > I currently admin a small network of about 12 clients, all with fixed
> > ip schemas. Since this network is only growing to include more and more
> > clients I was thinking of using a DHCP server to handle ip
> > configuration on new clients. Ive already got that working. But my main
> > concern is how do you stop a rogue DHCP server from getting on the
> > network and giving fake information to some clients? And how about
> > unauthorized clients?
> >
> > Any ideas? thanks.
>
> It's difficult, because DHCP is a broadcast protocol. The way I've done it
> is to have the servers on one physically-protected network and everything
> else on one or more other networks. This allows you to do DHCP forwarding
> on the switches (assuming they're managed), which you can setup to only
> point to a server in the protected network.
>
> --
> -- Skylar Thompson (skylar@cs.earlham.edu)
> -- http://www.cs.earlham.edu/~skylar/

On 2 Aug 2006, in the Usenet newsgroup comp.os.linux.networking, in article
<1154528510.896681.241870@i42g2000cwa.googlegroups .com>, danielv wrote:

>I currently admin a small network of about 12 clients, all with fixed
>ip schemas. Since this network is only growing to include more and more
>clients I was thinking of using a DHCP server to handle ip
>configuration on new clients.

Why? DHCP is OK if you have no one who knows how to set up computers
and you have computers coming and going, but it takes under a minute
to statically configure _any_ OS, and it only needs to be done once.

>Ive already got that working. But my main concern is how do you stop a
>rogue DHCP server from getting on the network and giving fake information
>to some clients?

Yeah, that's always been a weakness in DHCP since the BOOTP protocol
before it. You could set up a system to monitor for DHCP packets, and
alarm if anything other than your DHCP server responds, but setting
that up to work reliably isn't going to be simple.

>And how about unauthorized clients?

[compton ~]$ whatis arpwatch
arpwatch (8) - keep track of ethernet/ip address pairings
[compton ~]$

Again, not foolproof. We monitor that, as well as the ARP tables on
several servers, the routers, and the managed switches. We know the
MAC and IP address pairing of all systems as well as which network drop
they are supposed to be on. We also do NOT have 'live' network drops
unused. They are disabled at the switches when a computer is removed
from the drop. We also monitor packets on the network on a random basis
to detect someone running a NAT box (IP Masquerade).

You're in Brazil, and I'm not familiar with the legal climate there. Here
in USA, it behooves you to have written policies in place, approved by
your legal people, and acknowledged by ALL employees (signed copies in
the personnel files). There are large signs at all building entrances
reminding all of these policies.

Old guy

"danielv" <dvhirt@gmail.com> said:
>I currently admin a small network of about 12 clients, all with fixed
>ip schemas. Since this network is only growing to include more and more
>clients I was thinking of using a DHCP server to handle ip
>configuration on new clients. Ive already got that working. But my main
>concern is how do you stop a rogue DHCP server from getting on the
>network and giving fake information to some clients? And how about
>unauthorized clients?

As "Old guy" wrote, you could monitor your network for DHCP responses
originated by other than your official server(s).

As for unauthorized clients, using DHCP doesn't actually change the
situation; there are a few things you could do (depending on your
hardware):
- keep switch ports disabled by default
- when opening switch ports, lock them to a single MAC address

.... but especially the latter of the two tends to be more nuisance than
help. However, a written, approved, and legally binding policy would
be one of the first things to have - just to make everyone in the
company aware that there are rules, and bending/breaking the rules will
not be tolerated. Of course, policy alone isn't enough - but without
a policy any technical obstacle is just an invitation to circumvent it.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

Moe Trin wrote:

[putolin]

>
> We also monitor packets on the network on a random basis
> to detect someone running a NAT box (IP Masquerade).
>

Can you explain how this is done?

--
Dancin' in the ruins tonight
mail: echo onub-hgbg@pbyhzohf.ee.pbz | perl -pe 'y/a-z/n-za-m/'
Tayo'y Mga Pinoy