nanog mailing list archives
Re: Secure DHCP?
From: Eric Germann <ekgermann () cctec com>
Date: Sun, 25 Jul 1999 06:16:35 -0400
WINS and SMB file sharing are not broadcast based. The name location mechanism in Windows networking is broadcast based, if you don't use WINS. WINS eliminates that need. Eric At 08:50 PM 7/24/99 -0700, Aaron Hopkins wrote:
-----BEGIN PGP SIGNED MESSAGE-----After having experienced a rather malicious attack on our corporate
network by
someone running a rogue DHCP server, I'm wondering if there's any way to prevent this from happening again?Ask your ethernet switch/bridge or cablemodem vendor for a method of disabling non-ARP broadcasts from being received by client machines. You can then trust your switches to direct such requests only to anything you let receive broadcasts, which should only be trusted servers. Cisco's IRB bridging has "subscriber-policy" which roughly approximates this that I use for our DSL customers. I believe their higher-end switches can take layer-2 access-lists, which could be made to work similarly. Any protocol that relies on trusting the first server to reply to a broadcast is similiarly vulnerable. I'm not sure theres a way to secure the protocol itself if the client has zero knowledge of the network its on when it starts up, which is the point of DHCP. Note that disabling broadcasts may adversely affect some already-broken protocols, such as WINS or SMB. This might only prevent shares off of "client" machines from showing up in others' Network Neighborhood, but I can't say that I've tested it. Aaron Hopkins aaron () cyberverse com Chief Technical Officer, Cyberverse Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBN5qJmUfJWHAEvsjBAQHa/QP/TnuMtu17O2wn5F15fFITHdCUDOCLUqy1 4QyfzRLdyeNFQA5o5bSoPirP3DjgPb2s5l/0IgQjJDPPMehCnFNCQ7sFq/A3/+3I 3e7XsxASmHXDsxbQP490oPbKkfMEvtAXH9pYolwnfmuhxn/VPYXqOg4A1GomukBp PQlYBTOnSL0= =77jy -----END PGP SIGNATURE-----
========================================================================== Eric Germann CCTec ekgermann () cctec com Van Wert, OH 45891 http://www.cctec.com Ph: 419 968 2640 ICQ: 41927048 Fax: 419 968 2641 Network Design, Connectivity & System Integration Services A Microsoft Solution Provider
Current thread:
- Secure DHCP? Nicholas Bastin (Jul 24)
- Re: Secure DHCP? Daniel Senie (Jul 24)
- Re: Secure DHCP? Andrea Di Lecce (Jul 25)
- Re: Secure DHCP? Aaron Hopkins (Jul 24)
- Re: Secure DHCP? Eric Germann (Jul 25)
- Re: Secure DHCP? Alex Bligh (Jul 25)
- Re: Secure DHCP? Fletcher E Kittredge (Jul 26)
- Re: Secure DHCP? Daniel Senie (Jul 26)
- Re: Secure DHCP? Daniel Senie (Jul 24)