1 / 9

DHCP Security

DHCP Snooping and Security David Mitchell 03/19/2008. DHCP Security. DHCP Snooping. What is the danger How do we mitigate it How it works What NETS will need Futures. What is the danger. The DHCP server on a subnet performs some important tasks from a security point of view.

shina
Download Presentation

DHCP Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DHCP Snooping and Security David Mitchell 03/19/2008 DHCP Security

  2. DHCP Snooping • What is the danger • How do we mitigate it • How it works • What NETS will need • Futures

  3. What is the danger • The DHCP server on a subnet performs some important tasks from a security point of view. • Defines the default route. A malicious server could intercept all traffic leaving the subnet by providing the wrong server • Defines the DNS server. A malicious server could redirect traffic to incorrect web sites.

  4. How do we mitigate it • Prevent every port on a subnet from being a valid source for DHCP server packets. • Can be done with a simple Vlan Access List (VACL)‏ • Can also be done intelligently via DHCP Snooping

  5. Futures • Once DHCP snooping is working and binding tables are up to date, the screws can be tightened. • Switch can inspect all ARP responses to ensure that their contents match the DHCP lease for that port. • (Some) switches can inspect all packets to ensure source MAC and IP match DHCP lease.

  6. More Info • http://www.cisl.ucar.edu/nets/internal/docs/trips/2007/dm-cisco-networkers-2007-notes/wednesday.html Includes notes on layer 2 attacks and their mitigations.

  7. How It Works • Switch installs a VACL to intercept all DHCP packets and send them to the processor for interpretation. • Snooping is enabled per-vlan on each switch. • Ports in a VLAN are defined as trusted or untrusted depending on whether or not they are allowed to act as a DHCP server

  8. How It Works Continued • Switch tracks all DHCP requests and responses. • Builds a table which defines which IP address and MAC binding is valid on each port. • Optionally add the switch name and port to DHCP requests so the DHCP server will have that information.

  9. What NETS Will Need • Primarily a list of what subnets are doing DHCP and what ports have DHCP servers connected to them. • List of what hosts are using static IP addresses. • NETS may be able to autogenerate this to some extent. • Increased usage of DHCP will reduce the need for this

More Related