Comments on: Question for InfoSec Types: Is DHCP a Security Risk?

By: bill_mcgonigle

bill_mcgonigle — Mon, 01 Sep 2008 06:14:07 +0000

I can capture and emulate the MAC of one of your ‘trusted’ machines inside of a couple minutes. There are even things out there to confuse switch ports about which MAC is on which port. MAC addresses should be used for ARP, not security. It’s fine to use them too for static DHCP so you can centralize device addressing.

That said, if somebody can get onto your network, get an address via DHCP, and is then automatically authorized to do anything other than make recursive DNS queries and access a part of your Internet connection, you’ve got problems.

Most people don’t need secure switch ports – it’s sufficient to secure services. If you do need secure switch ports, look into 802.1x or VPN’s. And a security guard named Charlie with a .40S&W.

Note: I’ve met auditors who don’t know what they’re doing and run down a checklist hammered out by college interns. Their fees have nothing to do with their competence, especially their ability to understand protocols.

By: TedRoche

TedRoche — Thu, 28 Aug 2008 15:47:54 +0000

Disclaimer: I’m not truly an InfoSec, though I play one on my own network (don’t we all?)

I think the auditor may be confusing physical access issues with network access… “if an intruder can just plug in a device” you have far more serious problems. Most offices don’t let people off the street plug in. If your client is in that situation (like a school or a cybercafe or an incubator), then those network jacks ought to be _outside_ the firewall, with VPN access to corporate resources.

That said, access to the corporate network ought to be limited. MAC address filtering should only allow known devices. An employee bringing in a compromised home computer is just as large a threat. Wireless access should be filtered by MAC address and WPA2 or better (and perhaps firewalled VPN access from the WAP to the intranet). But computer users are going to have authorized devices (iPhones, laptops, etc.) that need to be using DHCP for their access on the road. Accomodating this can be done without significantly compromising the network.

By: DamienHull

DamienHull — Mon, 25 Aug 2008 20:20:12 +0000

A few years back I would have said no. Times have changed.

I don’t view DHCP as a security issue. I see it more as a plug and play issue. It’s been my experience that people who have no idea how a network functions love to plug wireless access points and routers into the network. This makes trouble shooting fun.

Security could be an issue if data on servers and workstations isn’t protected. If someone can walk in with a laptop, plug into the network and access data, you have a problem.

When it comes to security one size does not fit all. Security is balancing act. Be safe but not so safe that users can’t get anything done.