Peter’s Soapbox
Question for InfoSec Types: Is DHCP a Security Risk?
August 25, 2008 on 2:42 pm | In Uncategorized |We recently had an IT audit at one of my clients’ locations. One of the issues raised by the auditor was that our DHCP server was a security risk because it would allow anyone to plug in to the LAN, get an IP address, and start browsing or scanning the network for vulnerabilities.
One alternative would be to maintain our DHCP server, but to have it only support DHCP reservations, and not just give out IPs to anyone who asks for them. (In other words, no leases in the scope without a reservation.) This would keep an unauthorized computer from being able to “just plug in” and go, as it were.
Another concern would be that a hacker could plug in their own DHCP server, and start giving out leases on the LAN before it was detected, and then set up their own DNS, routes, etc.
What does it take for this to be considered an “acceptable risk?” Where would you draw the line, in this case? Statics, reservations, or push back and say “we want our open DHCP?”
Please leave your feedback and thoughts on this. If you don’t want to comment on my blog, drop me a note on Twitter or Pownce or Facebook or Jaiku or Plurk or Identica or any number of other social networks I’ve lost track of. I’m “nikolaidis” on all of them, except Facebook, where you’ll have to use the link or track me down the hard way.
3 Comments »
RSS feed for comments on this post. TrackBack URI
Leave a comment
You must be logged in to post a comment.
Categories:
Archives:
- January 2009 (1)
- December 2008 (3)
- November 2008 (3)
- October 2008 (9)
- September 2008 (2)
- August 2008 (7)
- July 2008 (22)
- June 2008 (7)
- May 2008 (14)
- April 2008 (13)
- March 2008 (7)
- February 2008 (13)
- January 2008 (8)
- December 2007 (11)
- November 2007 (10)
- October 2007 (8)
- September 2007 (18)
- August 2007 (25)
- July 2007 (10)
- June 2007 (2)
- May 2007 (1)
- March 2007 (4)
- February 2007 (3)
- January 2007 (1)
- December 2006 (1)
- October 2006 (3)
- September 2006 (1)
- August 2006 (9)
- July 2006 (2)
- June 2006 (6)
- May 2006 (4)
- April 2006 (3)
Blogroll
- Finding Abrah - My friend Abrah’s blog. She’s… really random.
- Fresh Ubuntu - The Fresh Ubuntu podcast
- I, Blog - The blog of my former partner in podcasting crime
- Lotta Linux Links - Lotta Linux Links
- Partis Scientia - Scott’s Linux Tech Blog
- Reason Enough - The blog of my kool kousin Karen (who should run KDE)
- Scamwagon - The blog of my colleague, Scott McGrath
Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds.
Valid XHTML and CSS. ^Top^
A few years back I would have said no. Times have changed.
I don’t view DHCP as a security issue. I see it more as a plug and play issue. It’s been my experience that people who have no idea how a network functions love to plug wireless access points and routers into the network. This makes trouble shooting fun.
Security could be an issue if data on servers and workstations isn’t protected. If someone can walk in with a laptop, plug into the network and access data, you have a problem.
When it comes to security one size does not fit all. Security is balancing act. Be safe but not so safe that users can’t get anything done.
Comment by DamienHull — August 25, 2008 #
Disclaimer: I’m not truly an InfoSec, though I play one on my own network (don’t we all?)
I think the auditor may be confusing physical access issues with network access… “if an intruder can just plug in a device” you have far more serious problems. Most offices don’t let people off the street plug in. If your client is in that situation (like a school or a cybercafe or an incubator), then those network jacks ought to be _outside_ the firewall, with VPN access to corporate resources.
That said, access to the corporate network ought to be limited. MAC address filtering should only allow known devices. An employee bringing in a compromised home computer is just as large a threat. Wireless access should be filtered by MAC address and WPA2 or better (and perhaps firewalled VPN access from the WAP to the intranet). But computer users are going to have authorized devices (iPhones, laptops, etc.) that need to be using DHCP for their access on the road. Accomodating this can be done without significantly compromising the network.
Comment by TedRoche — August 28, 2008 #
I can capture and emulate the MAC of one of your ‘trusted’ machines inside of a couple minutes. There are even things out there to confuse switch ports about which MAC is on which port. MAC addresses should be used for ARP, not security. It’s fine to use them too for static DHCP so you can centralize device addressing.
That said, if somebody can get onto your network, get an address via DHCP, and is then automatically authorized to do anything other than make recursive DNS queries and access a part of your Internet connection, you’ve got problems.
Most people don’t need secure switch ports - it’s sufficient to secure services. If you do need secure switch ports, look into 802.1x or VPN’s. And a security guard named Charlie with a .40S&W.
Note: I’ve met auditors who don’t know what they’re doing and run down a checklist hammered out by college interns. Their fees have nothing to do with their competence, especially their ability to understand protocols.
Comment by bill_mcgonigle — September 1, 2008 #