Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

DHCP Snooping

From: "Juan Munera" <jmunera () avborne aero>
Date: Mon, 26 Jun 2006 08:38:19 -0400

Ports that should be trusted are the DHCP server as well as the gateway/router.  All client ports should be un-trusted. 
 They will only be able to forward DHCP requests.  In the case that any client sends out a DHCP acknowledgement, that 
port is shut down.

-----Original Message-----
From: Dmitry Cherkasov [mailto:doctorchd () gmail com] 
Sent: Thursday, June 08, 2006 7:21 AM
To: Sven Édouard
Cc: security-basics () securityfocus com
Subject: Re: DHCP Snooping

2006/6/7, Sven Édouard <sven_edouard () fastmail co uk>:

DHCP Security is ultimately a tricky proposition, keep in mind that
these communications are sent over UDP, which can be spoofed, therefore,
what you would need to do is force everyone's configuration to be a
static one in order to avoid a spoofed respose condition.



Port-based VLANs solve this problem. No traffic between clients is
sent past the router.



Also, there is the risk that someone on your network is using the same
MAC address as another user, and therefore could see all of the traffic
intended for that user. I think you could cover these cases by deploying
VLANS but just wanted to bring up these potential issues.


DHCP-authorized ARP solves this issue. The MAC is present in the ARP
table of the router only when a corresponding client obtained his
settings from DHCP server. Additional security may be gained if you
setup proper MAC filters on access ports of your switches.




Sven




On 6 Jun 2006 19:52:59 -0000, timpacalypse () yahoo com said:

I'm looking at deploying DHCP Snooping in our environment.  I just want
to make sure I've got this straight.

We only have 1 DHCP server.  So the only port that I need to say is
trusted is the one the DHCP Server is connected to, right?  I don't want
anyone to be able to deploy any rogue DHCP Servers in the network.  We
are using VLANS, but I don't need to set the trunk ports as trusted do I?

--
  Sven Édouard
  sven_edouard () fastmail co uk

--
http://www.fastmail.fm - One of many happy users:
  http://www.fastmail.fm/docs/quotes.html





-- 
Dmitry Cherkasov

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: