Firewall Wizards mailing list archives
RE: Using DHCP (was RE: IP Spoofing)
From: "Safier, Adam (GEIS)" <Adam.Safier () geis ge com>
Date: Mon, 18 Oct 1999 01:45:21 -0400
OK, Thanks to all who explained the MAC-IP association during initial negotiation. With the MAC-IP association via proxy I can see DHCP making life easier and allowing fewer logins while still being secure. I still see a danger unless you do some extra setup. Internet | +-LAN-- Firewall ------- Router ---- DHCP server | | Dial-in Terminal Server \------- LAN / Hosts If the Dial-in Terminal Servers use DHCP and the firewall simply permits those IP addresses in, I could spoof my IP to pretend to be coming from the Terminal Server while actually coming from the Internet. (Nevermind return traffic, this could be a blind attack) This is foiled if: - The internal Router caches a "legal" MAC-IP (ARP) list (which needs to be entered/maintained on the DHCP server and broadcast) AND it will not forward traffic from certain IP ranges that don't match the ARP list it got from the DHCP server (I didn't know they were that smart....) - Or a DHCP proxy on the firewall tracks Terminal MAC addresses and only those are allowed. - Or if the external interface (+) included a router (or is a separate interface on the firewall) with an ACL blocking DHCP addresses on the Internet interface. Any other vulnerabilities and fixes using DHCP? Thanks, Adam -----Original Message----- From: Bill_Royds () pch gc ca [ mailto:Bill_Royds () pch gc ca <mailto:Bill_Royds () pch gc ca> ] Sent: Friday, October 15, 1999 11:54 AM To: anton () the-wire com Cc: Safier, Adam (GEIS); Dave Gillett; firewall-wizards () lists nfr net Subject: RE: Using DHCP (was RE: IP Spoofing) There is probably no more security using DHCP than a properly configured static IP assignment, but an average network sysadmin is much less likely to make errors with DHCP than in maintaining manually assigned IP numbers. Most DHCP servers can monitor IP usage 24 hours a day, ensuring no machine tries to claim an IP that was not assigned to it, they can track the MAC <-> IP mapping and associate it with users and authorization, reclaim unused IP's and many other tasks that can be done manually but a real PITA for a sysadmin. It is not a security panacea, but it can help keep track of things that would normally fall through the cracks.
Current thread:
- Re: Using DHCP (was RE: IP Spoofing) Bill_Royds (Oct 05)
- Re: Using DHCP (was RE: IP Spoofing) Dave Gillett (Oct 06)
- <Possible follow-ups>
- Re: Using DHCP (was RE: IP Spoofing) Bill_Royds (Oct 12)
- RE: Using DHCP (was RE: IP Spoofing) Bill_Royds (Oct 13)
- RE: Using DHCP (was RE: IP Spoofing) Safier, Adam (GEIS) (Oct 13)
- RE: Using DHCP (was RE: IP Spoofing) Anton J Aylward (Oct 16)
- RE: Using DHCP (was RE: IP Spoofing) Safier, Adam (GEIS) (Oct 13)
- RE: Using DHCP (was RE: IP Spoofing) Bill_Royds (Oct 13)
- RE: Using DHCP (was RE: IP Spoofing) Bill_Royds (Oct 16)
- RE: Using DHCP (was RE: IP Spoofing) Safier, Adam (GEIS) (Oct 18)
- RE: Using DHCP (was RE: IP Spoofing) Carl Brewer (Oct 18)