Re: [fw-wiz] DHCP in a corporate MS environment - Security Risk?

From: yossarian (
Date: 01/22/03

From: "yossarian" <>
To: <>
Date: Wed Jan 22 08:43:01 2003

> Some security consultants highly recommended static addressing
> across the board for security and control reasons - i.e.. access-list
> control and the potential for compromise of the DHCP database. I have
> searched google etc and found a few articles and whitepapers.

IMHO, using static adressing for security reasons is ineffective against
real hackers, since IP spoofing is standard. If you log the adresses used,
DHCP will not make forensics impossible.

Compromising the DHCP is feasible, the result will be a denial of service,
since there will be double adresses. Users reboot, get a new address, and
get on with their work. Or if you compromise the DHCP database, so it will
give out other ranges of IP adresses. So? If people take down the DHCP,
well, use a distribited system so another server will take over, and client
systems will probably use the cached IP adress, anyway.

The only risk to DHCP is people attaching rogue computers to your network.
But the risk is marginal, since all you need to do is find out which ranges
are used, and pick an address use by someone else. Any sniffer will do this.
And using ACL's to ensure that just known PC's attach is not really feasible
in an MS shop - since connections to MS servers is done on computer names,
not IP adresses.

> We have historically configured static IPs on servers, routers, switches
> all outside-facing devices. We do have several multi-homed devices with
> static, public IP and a second interface facing inside (these are being
> migrated to DMZ where multi-homing will no longer be necessary.) However
> this does get to be a pain when making across-the-board changes.
> Documentation is a bear as well since we are a small company with little
> resources available to keep detailed network drawings up-to-date.

I think using static adressing with more than a handfull of systems will
result in more downtime because of human error than security incidents
generally do. Using the time freed by less documentation for patching and st
udy is much more effective.

> Is there any experience with compromised DHCP databases in MS
> Any strong opinions or reasoning pro or con the use of DHCP? Any
> recommendations for shoring up the service and it's traffic?

I encountered a DHCP server with a trojan on it once, but the incident was
really minor - the server was used to cover tracks to other systems. What is
the use of attacking DHCP if there are easier ways of attacking, like ARP
cache poisoning.

Patch the servers, monitor them, do the general rigmarole, and use DHCP,
like most companies do.