Firewall Wizards mailing list archives

RE: Using DHCP (was RE: IP Spoofing)

From: "Safier, Adam (GEIS)" <Adam.Safier () geis ge com>
Date: Mon, 18 Oct 1999 01:45:21 -0400

OK, Thanks to all who explained the MAC-IP association during initial
negotiation. With the MAC-IP association via proxy I can see DHCP making
life easier and allowing fewer logins while still being secure. I still see
a danger unless you do some extra setup.

       Internet
          |
          +-LAN-- Firewall ------- Router ---- DHCP server
          |                          |
Dial-in Terminal Server              \------- LAN / Hosts

If the Dial-in Terminal Servers use DHCP and the firewall simply permits
those IP addresses in, I could spoof my IP to pretend to be coming from the
Terminal Server while actually coming from the Internet. (Nevermind return
traffic, this could be a blind attack)

This is foiled if:

- The internal Router caches a "legal" MAC-IP (ARP) list (which needs to be
entered/maintained on the DHCP server and broadcast) AND it will not forward
traffic from certain IP ranges that don't match the ARP list it got from the
DHCP server (I didn't know they were that smart....)

- Or a DHCP proxy on the firewall tracks Terminal MAC addresses and only
those are allowed.

- Or if the external interface (+) included a router (or is a separate
interface on the firewall) with an ACL blocking DHCP addresses on the
Internet interface.

Any other vulnerabilities and fixes using DHCP?

Thanks,

Adam

 



-----Original Message-----
From: Bill_Royds () pch gc ca [ mailto:Bill_Royds () pch gc ca
<mailto:Bill_Royds () pch gc ca> ]
Sent: Friday, October 15, 1999 11:54 AM
To: anton () the-wire com
Cc: Safier, Adam (GEIS); Dave Gillett; firewall-wizards () lists nfr net
Subject: RE: Using DHCP (was RE: IP Spoofing)


There is probably no more security using DHCP than a properly configured
static
IP assignment, but an average network sysadmin is much less likely to make
errors with DHCP than in maintaining manually assigned IP numbers. Most DHCP
servers can monitor IP usage 24 hours a day, ensuring no machine tries to
claim
an IP that was not assigned to it, they can track the MAC <-> IP mapping and
associate it with users and authorization, reclaim unused IP's and many
other
tasks that can be done manually but a real PITA for a sysadmin. It is not a
security panacea, but it can help keep track of things that would normally
fall
through the cracks.

Current thread:

Re: Using DHCP (was RE: IP Spoofing) Bill_Royds (Oct 05)
- Re: Using DHCP (was RE: IP Spoofing) Dave Gillett (Oct 06)
- <Possible follow-ups>
- Re: Using DHCP (was RE: IP Spoofing) Bill_Royds (Oct 12)
- RE: Using DHCP (was RE: IP Spoofing) Bill_Royds (Oct 13)
- RE: Using DHCP (was RE: IP Spoofing) Safier, Adam (GEIS) (Oct 13)
  - RE: Using DHCP (was RE: IP Spoofing) Anton J Aylward (Oct 16)
- RE: Using DHCP (was RE: IP Spoofing) Safier, Adam (GEIS) (Oct 13)
- RE: Using DHCP (was RE: IP Spoofing) Bill_Royds (Oct 13)
- RE: Using DHCP (was RE: IP Spoofing) Bill_Royds (Oct 16)
- RE: Using DHCP (was RE: IP Spoofing) Safier, Adam (GEIS) (Oct 18)
- RE: Using DHCP (was RE: IP Spoofing) Carl Brewer (Oct 18)