Re: [fw-wiz] DHCP in a corporate MS environment - Security Risk?

From: yossarian (yossarian@planet.nl)
Date: 01/22/03


From: "yossarian" <yossarian@planet.nl>
To: <firewall-wizards@honor.icsalabs.com>
Date: Wed Jan 22 08:43:01 2003


> Some security consultants highly recommended static addressing
> across the board for security and control reasons - i.e.. access-list
> control and the potential for compromise of the DHCP database. I have
> searched google etc and found a few articles and whitepapers.

IMHO, using static adressing for security reasons is ineffective against
real hackers, since IP spoofing is standard. If you log the adresses used,
DHCP will not make forensics impossible.

Compromising the DHCP is feasible, the result will be a denial of service,
since there will be double adresses. Users reboot, get a new address, and
get on with their work. Or if you compromise the DHCP database, so it will
give out other ranges of IP adresses. So? If people take down the DHCP,
well, use a distribited system so another server will take over, and client
systems will probably use the cached IP adress, anyway.

The only risk to DHCP is people attaching rogue computers to your network.
But the risk is marginal, since all you need to do is find out which ranges
are used, and pick an address use by someone else. Any sniffer will do this.
And using ACL's to ensure that just known PC's attach is not really feasible
in an MS shop - since connections to MS servers is done on computer names,
not IP adresses.

> We have historically configured static IPs on servers, routers, switches
and
> all outside-facing devices. We do have several multi-homed devices with
> static, public IP and a second interface facing inside (these are being
> migrated to DMZ where multi-homing will no longer be necessary.) However
> this does get to be a pain when making across-the-board changes.
> Documentation is a bear as well since we are a small company with little
> resources available to keep detailed network drawings up-to-date.

I think using static adressing with more than a handfull of systems will
result in more downtime because of human error than security incidents
generally do. Using the time freed by less documentation for patching and st
udy is much more effective.

> Is there any experience with compromised DHCP databases in MS
environments?
> Any strong opinions or reasoning pro or con the use of DHCP? Any
> recommendations for shoring up the service and it's traffic?

I encountered a DHCP server with a trojan on it once, but the incident was
really minor - the server was used to cover tracks to other systems. What is
the use of attacking DHCP if there are easier ways of attacking, like ARP
cache poisoning.

Patch the servers, monitor them, do the general rigmarole, and use DHCP,
like most companies do.

Yossarian



Relevant Pages

  • Re: [Full-disclosure] one of my servers has been compromized
    ... Now the problem for me is to track down the security hole. ... The exploit or compromise running on this system is likely ... The bot files can usually be found by running these one line ... when resolving server names to IP Addresses ...
    (Full-Disclosure)
  • [fw-wiz] RE: firewall-wizards digest, Vol 1 #884 - 1 msg
    ... Some security consultants highly recommended static ... >> control and the potential for compromise of the DHCP database. ... You have to balance convenience with the probability of compromise. ...
    (Firewall-Wizards)
  • Re: where should the line be drawn on what services a DC should be used for
    ... a DC should do it's main task with AD/DNS/GC and DHCP ... All other especially IIS accessible from the internet is a ... security hole. ... one is local (server 2008) and the ...
    (microsoft.public.windows.server.general)
  • Re: Possible compromise of Windows Server 2003 security risk & unknown users
    ... displaying symptoms of compromise, and you would probably be better off ... MVP Windows Server - Networking ... > We have recently received a security report stating that the server we are ...
    (microsoft.public.windows.server.setup)
  • Re: PestPatrol
    ... It may be OK to use in addition to an antivirus program and a good security ... your server, to prevent compromise instead of just trying to detect it. ...
    (microsoft.public.inetserver.iis.security)