DHCP query

Hi

Senario - DHCP leases IP to unknown machine on network, this said machine then infects all other PC's on netowrk.

How is this avoided on your network, or how would you go about avoiding it if this happened on your network
Lee H

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

dynamik

Port security.

http://articles.techrepublic.com.com/5100-10878_11-6123047.html

undomiel

It isn't DHCP's fault that a machine it leased an address to is doing unscrupulous things on your network. It isn't DHCP's job to police that. You'd basically have to reserve each address in DHCP to use DHCP to prevent that rogue computer. Which then makes DHCP pointless. Might as well use static IPs.

So how do you prevent this? Good virus protection for one. Setting up a NIDS/NIPS with good sensor placement would also work with this. Making sure you have good physical security so that unknown machines don't hook up to your network. Making sure you don't have hot ports available is something else. Just provision them on an as needed basis. No one of these is perfect for avoiding the scenario you describe but a combination can make a very powerful force against rogue machines.

darkerosxx

If you're using all microsoft clients, use Network Access Protection, set up a quarantine network, and require all DHCP clients to be quarantined if they don't meet antivirus and update restrictions.

OR

Since you mentioned a "unknown machine", set up login security so no one can get an address on the network without logging in.

tiersten

As dynamik said, port security. It won't even be able to connect to the network.

sprkymrk

undomiel wrote:

Which then makes DHCP pointless. Might as well use static IPs.

For the first time in many months I will disagree with you, undomiel. But only with your last 2 sentences of this paragraph.

Using reservations is all done from a single point - the comfort of your workstation or server, as opposed to being out on the floor wherever the client PC's exist. Also, with hard coding IPs you also need to hard code all the other IP information such as DNS, Gateway, WINS, etc. With reservations in DHCP you create the scope once, then all you need to do is input a MAC address. Need to change or add a DNS server? Don't go to every PC like you would have to if you hard code everything, just modify the scope once and you're done.

Everything else in your first paragraph and everything in your second are 100% spot on.

wagnerbm

I would have to agree with tiersten. We use port security and it is great. You would be amazed at what people try to plug into the network.

tiersten

wagnerbm wrote:

I would have to agree with tiersten. We use port security and it is great. You would be amazed at what people try to plug into the network.

Ugh. Don't get me started on this one. I've caught people plugging in WiFi APs before. People worked out that unused sockets aren't actually enabled so they started to mess about unplugging PCs and other devices.

astorrs

Yup, then you get to deal with 802.1x just to keep those "smart" users at bay...

dynamik

They'd have to spoof the mac address on the AP in order to circumvent port security.

astorrs

dynamik wrote:

They'd have to spoof the mac address on the AP in order to circumvent port security.

Or have any of a zillion $49 router/AP's that allow cloning (spoofing for end-users who don't know what it is only that "it works")

darkerosxx

darkerosxx wrote:

If you're using all microsoft clients, use Network Access Protection, set up a quarantine network, and require all DHCP clients to be quarantined if they don't meet antivirus and update restrictions.

OR

Since you mentioned a "unknown machine", set up login security so no one can get an address on the network without logging in.

Forgot NAP was extended to mac and linux clients. Your question is answered, sir! lol, but seriously, that's one of a ton of ways you could do it and that's the way I would if I had the money/time/hardware.

undomiel

sprkymrk wrote:

For the first time in many months I will disagree with you, undomiel. But only with your last 2 sentences of this paragraph.

I bow to sprkymrk's wisdom.

Shows that I still have a ways to go to make this MCSE more than just paper!

royal

Reminds me of an environment I worked in. 4 sites all on the same subnet all using static ips and all 500 machines in workgroup mode.

tiersten

royal wrote:

Reminds me of an environment I worked in. 4 sites all on the same subnet all using static ips and all 500 machines in workgroup mode.

Were you the poor unfortunate that had to go around fixing those?!

royal

tiersten wrote:

royal wrote:

Reminds me of an environment I worked in. 4 sites all on the same subnet all using static ips and all 500 machines in workgroup mode.

Were you the poor unfortunate that had to go around fixing those?!

Nope, they wanted Exchange/AD deployed in parallel with their existing environment for some odd reason. All I did was plan the parallel environment for 1 week and then one of the other engineers went out and did it.

tiersten

royal wrote:

tiersten wrote:

royal wrote:

Reminds me of an environment I worked in. 4 sites all on the same subnet all using static ips and all 500 machines in workgroup mode.

Were you the poor unfortunate that had to go around fixing those?!

Nope, they wanted Exchange/AD deployed in parallel with their existing environment for some odd reason. All I did was plan the parallel environment for 1 week and then one of the other engineers went out and did it.

In parallel? Nice

I've never seen anybody get up to 500 machines in workgroups before. Waiting for Windows to enumerate that lot must take forever.

Lee H

Thanks Guys

Exellent information

bighornsheep

sprkymrk wrote:

Using reservations is all done from a single point - the comfort of your workstation or server, as opposed to being out on the floor wherever the client PC's exist. Also, with hard coding IPs you also need to hard code all the other IP information such as DNS, Gateway, WINS, etc.

Agree! In fact, it's hard to think of a good reason why you would want static IPs on workstations.

To the OP, with proper DHCP configuration, there is also DHCP snooping which you can configure on your switches, the concept is basically the switch keeping track of authorized DHCP servers and legitimate machines obtaining IP addresses, then recording their locations, and blocking both unauthorized DHCP servers, and MAC spoofing.

darkerosxx

Pretty cool open-source app for Network Access Control:

http://freenac.net/