DHCP and network security

[Rocco]

Anyone use DHCP for address allocation on their corporate network? Do you just let it dish out addresses at random?

A safer way, though admittedly a far more tedious approach, is to dish out addresses based on the MAC address of the network card. I know it means people have to ask you before they can get on the LAN, but in my mind this is a good thing.

If you can enforce a one-to-one mapping of IP address to MAC address, not only is troubleshooting made easier, but it means that you know what's connected to the network.

The initial setup process is tedious, as you have to do a MAC address audit of everything you own and introduce a policy for people bringing in their laptops for the first time. But it's well worth it, and all of the popular DHCP servers (including the one that comes with Red Hat Linux and the one in Windows 2000 Server) can handle this mapping process. Oh, and make sure you use something like "arpwatch" to monitor the network for new addresses or people changing the IP address of their PC by hand.

[Cyryl]

What exactly would this get you? Especially in a pan European Environment where my user base is constantly moving between European offices.

I'm afraid this is one example of the theory being sound while the practicality is not. Why is it well worth it? How does it benefit troubleshooting? If you implement a good naming convention on AD, with its DDNS then you can locate any machine via allocated IP easily. I'm confused as to the benefits while I am pretty sure as to the cost. An increased load on my support staff. More management of my DHCP setup for my Systems Admins. Hassle for corp visitors from the US and my European staff. Hassle for the guys who run the call-centres and have to move between the two. And all of this adds to hassle for me and causes me to have to leave the pub. And that I could do with out.

Cyryl

[Bozena]

I like the idea of MAC address allocated DHCP and agree with the points that Mike raised. Sometime though, it's just gotta be done.

Working in a company than runs two-three different LAN spaces, per country, we have great overheads for support as it is. Your typical office workers want to be able to plug in work without questions, and do this in any office around the world. However, on LANs that we don't want them to ramdomly access, turning off DHCP prevents the none techy from getting access. However it still frustrates them, as they can't work, and enrages them to come shouting at the IT support desk.

We're considering looking at taking things a little lower. Dynamic VLANs. We're still going to have to do a full MAC address audit, but this need not be done internationally in one hit. Once all countries are up to speed however, when any member of the company turns up on any of the international sites, they will be able to plug in to any network point, and automatically be joined on to the VLAN they belong to, and have access to all the services they would in their home office.

Removing the default VLAN's also means we prevent any contractors, visitors and temp staff from plugging in their devices on the network before they have been vetted by the IT department.

[Emilia]

Hi all,

I agree that using MACaddressto estrict users is good. BUt when you are looking after global sites, it is an absolutenighmare to adminsirtate. lso what happens if your database become corrupt. You have to find all those addressign and reconfigure the DHCP database again. To overcome this Ibeen usingmultiple DHCPservers and a workstations ad runvarious batch files to bckup and copy the DHCP databae. This way you have a copy of the DHCP database and a recover.

However using VLANs restricts users from certain areas to onl a set range off IP address. Using his with DDNS you shouldbe able to locate the machine relatively quickly. Also users should be allowed to set there own IP address on the desktop/laptop. This just causes more issues.

There are pros and cons fothe above solutions,it depends on what will work best with your current environment

Enjoy

Emilia

[Rocco]

Cyryl makes a valid point - I have to admit that I've not delved into the wonders that AD gives you yet, and so perhaps I'm just a bit old-fashioned.

However, I do think that you need to be able to track network traffic back to its source, and if your users don't all have unique logins (or you don't permit guests to log in at all, you just give them an address and let them have an Internet connection) then you can't do this just via the directory service

[Philip21]

I think there's a finer point in all this. One of Dave's key words was "safer". In terms of something like AD, a host may in fact use DDNS
to update the hostname with the IP address, however this isn't an ongoing map (similar to standard DHCP). So, a month on, you find out that something was attempting multiple connects to a service on a machine, coming from an ip address with no hostname lookup. (How many services do this? Too many) In other words, no record of who attempted what.

Dave's rule is similar to one which a lot of people recommend to secure (pfft!) WAP - that you have a list of the Mac addresses you will accept.
It also stops people bringing their home machine into work to steal software (oh, it happens!) . It's a precautionary tail.

That said, I do agree it's a hell of a lot of effort, and perhaps treating "mobile" users as mobile, and stationary users as locked dhcp candidates is a compromise.

Philip

[Lydia]

We come to the age old dilemma of balancing convenience and security.

DHCP is very convenient for administrators and users alike - but it opens an opportunity for someone to innocently plug in an untrusted machine (because they don't need admin input to get it up and running) ... of course, if this is their personal laptop then it may have previously been connected to the Internet and suddenly we may have a worm outbreak (with a valid IP address to propagate from)

Locking down the MAC address doesn't represent security against a malicious user (because they can either change their MAC address or, more likely, simply configure in an IP Address and hope it's not in use).

Dynamic LANs look like a usable soution for the problem of staff moving between offices. Avoiding the need to allow access to all MAC addresses - but it shouldn't be considered a security measure against someone wishing to attack the LAN (they can still modify their MAC address).

Placing this sanity check in the switch (I hesitate to say security measure) makes more sense than DHCP because it also blocks people from adding illegitimate machines to the LAN which have a valid IP address configured as well as devices that only operate at layer 2.

It comes down to a business decision - you either put the emphasis on user security awareness so that they know better than to plug in 'untrusted' devices. Perhaps with network monitoring to alert on new machines being added to the LAN.
Or you ensure that people moving between sites are aware of the issues so that they forwarn admin staff that their details need to be included in whatever checking system is in place.