RE: DHCP Security Questions

From: Steve Vawter (svawter@zonelabs.com)
Date: 05/15/02


From: Steve Vawter <svawter@zonelabs.com>
To: "'Richard Westlake'" <r.westlake@mail.cryst.bbk.ac.uk>, Chris <brahma@mendolink.com>
Date: Wed, 15 May 2002 09:33:20 -0700

Well, if it is a new system doing the IP "theft" this may well fix it:

Split your network into 2 VLAN's via dynamic VLAN's; one known systems, one
unknown systems. Set up DHCP (with different ranges) on both VLAN's so that
system set up for DHCP can get an address. Set up the unknown side with
tighter security since anyone walking in off the street might be on it.
When your IT guys set up a new system they can add it to the known list...

Steve Vawter
UNIX SYSTEM ADMINISTRATOR
Zone Labs, Inc.
1060 Howard Street
San Francisco CA 94103
ph 415-341-8323
fax 415-341-8299
cell 510-409-9184
pager 877-933-0549

-----Original Message-----
From: Richard Westlake [mailto:r.westlake@mail.cryst.bbk.ac.uk]
Sent: Tuesday, May 14, 2002 12:22 PM
To: Chris
Cc: security-basics@lists.securityfocus.com
Subject: Re: DHCP Security Questions

Chris
There is no easy way to stop this. If they can change the IP address on
their system then they can set any address they like.

You could try the following

1) take away admin access. Not possible with visitors & personal laptop
etc. can't do this with all OSs e.g. 95/98

2) run something like arpwatch (free)to record MAC/IP address. This will
notice new systems on the network and will also report address flip-flops
when two systems try and use the same IP address. We use this and it has
spotted badly configured systems and people borrowing (stealing) IP
address. Doesn't prevent the problem but it makes it easer to find and
fix. Problems of two systems using the same address (IP,DECNET etc) can
be very hard to debug. For arpwatch try http://www-nrg.ee.lbl.gov/nrg.html
or a google search

3) split the network into two with a router. One network can have your
static address servers and other important stuff, the other can have the
DHCP assigned addresses.
This reduces the damage people can do, still a problem if they steal the
IP address from your or the MDs laptop. You could also add a network just
for visitors.

4) use SNMP on the switches to report when a port goes live. The with SNMP
query the address table and compare it with a list of allowed MAC/IP
addresses (DHCP server lease file) and possible which ports they can use.
If you don't like the system on the port which has just gone live then
block the port or move it to a VLAN where it cant do any harm. Maybe you
can get a network management system to help with this.
This could be a lot of work! If you every try it please let me know how
you got on.

If you have a lot of people turning up with laptops etc and they already
have ID/passwords on your system they you could use something like netreg
(free) http://www.netreg.org/ to automate the MAC registration. Matt
Campbell at RIT has implemented a similar system which does watch the
switches and move ports for new systems to different VLANS
http://www.rit.edu/~mrcsys/dhcp/

Netreg type packages are useful if you don't want random strangers
wandering into the building, finding an unused port in a quiet corner,
connecting to the network and getting an IP address and having fun with
your servers etc

All the best and good luck

Richard Westlake

School of Crystallography, Birkbeck College, Malet Street, London WC1E 7HX
Tel: 020-7631-6859
----------------------------------------------------------------------
               Truth endures but spelling changes -- Anon.
----------------------------------------------------------------------

On Tue, 14 May 2002, Chris wrote:

> Date: Tue, 14 May 2002 09:10:26 -0700
> From: Chris <brahma@mendolink.com>
> To: security-basics@lists.securityfocus.com
> Subject: DHCP Security Questions
>
> I was curious to find out about some issues that I would like to prevent
> if at all possible. I am running a network with a DHCP server handing
> out public IP's to clients. It is also reserving by the MAC for clients
> that have static publics. My concern is someone that has legitimate
> access to the network purposely or accidentally setting their IP to an
> IP that is already taken and login on to the network and causing
> problems. Obviously this could really be a problem if it is a business
> client and are running some sort of server and someone logs on with that
> IP. Does anyone know of a way to prevent this? If you need more
> details please ask.
>
> Thank You,
>
> Chris Raynor
> Network Security
> Mendo Link, LLC
>
> "An Ounce Of Prevention Is Worth A Pound Of Cure."
>
>