On Cisco's you should be looking at a switchport level feature called DHCP snooping.
ip helper-address does more than just forward DHCP packets just an FYI. The term I use for the issue with the routers is that they're plugged in backwards when someone gets the WAN and LAN confused. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] On Behalf Of Al Garrett > Sent: Tuesday, January 16, 2007 11:29 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP > servers? (or how do you find it?) > > Not sure about other switch brands....we've been Cisco-centric for > years. > > The command in Cisco IOS is "ip helper-address x.x.x.x" to tell DHCP > packets where to go across VLANs....but.... > > This still doesn't prevent a rogue DHCP server from popping up on a > VLAN. (Think about a Linksys wired/wireless router brought to work by a > well-meaning but technically-challenged person and plugged into a local > port in order to get wireless in their cubicle/office) > > Al > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Tuesday, January 16, 2007 6:14 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP > servers? (or how do you find it?) > > "OTOH, I am wondering if it'd be possible to configure the routers so > that they only allow DHCP OFFER/ACK/NACK from auth." > > In case you weren't sure - this is exactly what I was suggesting you > consider, in my first post :) > > neil > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava > Sent: 16 January 2007 13:35 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP > servers? (or how do you find it?) > > Sorry for the delay on getting back on this, had a few things piled up > after New Year's... > > You're right on the fact that routers isolating the VLANs limit the > impact of this issue... The "problem" is that the idea is to > re-configure routers to forward DHCP traffic, so that we get DHCP > service on all VLANs from one/a few DHCP servers, instead of having to > setup a DHCP server on each VLAN. > > Somebody suggested having a multi-homed DHCP server, with a "leg" on > each VLAN, so that we get containment and DHCP service on every VLAN. I > don't know at the moment if that's possible (I have to check with the > client, to see if their network topology has a "hub" where all VLANs > "come close"). > OTOH, I am wondering if it'd be possible to configure the routers so > that they only allow DHCP OFFER/ACK/NACK from auth. DHCP servers > (something similar to what we've done with the local filtering on the > workstations)... > We'd still have problems with a rogue DHCP server in a VLAN, but we > wouldn't have to go the "multi-homed server" route... > > Thanks a lot for the input received so far. It's made me explore > several > options that I had not considered ;) > > As always, a pleasure. > > Javier > > -----Mensaje original----- > De: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] En nombre de > [EMAIL PROTECTED] Enviado el: martes, 09 de enero de 2007 9:35 > Para: ActiveDir@mail.activedir.org > Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP > servers? (or how do you find it?) > > Your last statement is true but then if routers restrict BOOTP traffic > as I describe, then the rogue DHCP server will only affect the VLAN on > which it exists. At least that way, you've reduced the impact. > > neil > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava > Sent: 08 January 2007 17:24 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP > servers? (or how do you find it?) > > Hi, Neil!! > > That's another thing I'll have to look into :) I am aware that it's > possile to do DHCP-proxy to pass along the DHCP requests to the proper > servers. > That's something that will have to be done, as the client's network is > split in different VLAN segments, and in multiple locations/sites, and > they'd like to have a reduced number of DHCP servers. > > But, useful and necessary as it is, this won't prevent a > rogue/malicious > DHCP server on the same LAN segment from playing havoc with the > systems. > > Thanks for the heads-up though. > > Javier Jarava > > -----Mensaje original----- > De: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] En nombre de > [EMAIL PROTECTED] Enviado el: lunes, 08 de enero de 2007 14:33 > Para: ActiveDir@mail.activedir.org > Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP > servers? (or how do you find it?) > > In addition to the below, routers can be configured to only forward > BOOTP packets to/from 'authorised' DHCP servers. > > neil > > > ___________________________ > Neil Ruston > Global Technology Infrastructure > Nomura International plc > Telephone: +44 (0) 20 7521 3481 > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade > Sent: 08 January 2007 13:27 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP > servers? (or how do you find it?) > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Javier > Jarava > > Sent: 08 January 2007 12:20 > > To: ActiveDir@mail.activedir.org > > Subject: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP > > servers? (or how do you find it?) > > > > Hi all! > > > > Just wondering, is there a way to "prevent" a rogue DCHP server from > > playing havoc with a network? > > > > I have been digging into "dhcp security" but I haven't really found > > anything that makes it possible to auth. a DHCP server, so that the > > clients don't fall for a rogue one. > > > > >From what I've seen, the approach MS follows is that IF your DHCP > > >server is > > Windows-based, you have to "auth" it on the Domain. That prevents the > > AD/infrastructure admins from shooting themselves on the foot by > > having too many/improperly configured servers.. But that won't stop a > > rogue VM from being a nuisance... > > > > I've found this problem in one of our customers sites. They use > static > > > IP addressing, but we were setting up a few of their computers with a > > different sw load and configuration, and they wanted to use DHCP to > > make config changes more dynamic. When running on an isolated > netowork > > > segment, all was fine, but once we moved "into" their network (to do > a > > > pilot test) we found a DHCP server serving a range outside their own, > > and really messing things up. > > You could try using DHCP classid. If you set it on your clients when > you > build them they will ignore anything with the "wrong" classid. I think > you can also control via group policy. > > > > What's more, nmap'ing the server, it had a VMWARE-owned MAC and no > > open ports whatsoever (tcp/udp), at least that I could find. Strange > > ;) > > > > Probably an XP system with the firewall on. A real pain to manage > > > We managed to overcome the issuse because the software load included > > an IP filtering component, so we decided to block > > UDP/67 and UDP/68 traffic from all IP addresses and only allow it for > > 255.255.255.255 and the IP address of the servers we were going to > > use... But using a whitelist is a bit of a PITA, so I was wondering > if > > > there was some other "cleaner" way to do it.. > > > > Thank a lot in advance > > > > Javier J > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.activedir.org/ma/default.aspx > > > > > > > ********************************************************************** > This email, and any files transmitted with it, is confidential and > intended solely for the use of the individual or entity to whom they > are > addressed. As a public body, the Council may be required to disclose > this email, or any response to it, under the Freedom of Information > Act 2000, unless the information in it is covered by one of the > exemptions in the Act. > > If you receive this email in error please notify Stockport e-Services > via [EMAIL PROTECTED] and then permanently remove it from > your system. > > Thank you. > > http://www.stockport.gov.uk > ********************************************************************** > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ma/default.aspx > > > > PLEASE READ: The information contained in this email is confidential > and > intended for the named recipient(s) only. If you are not an intended > recipient of this email please notify the sender immediately and delete > your copy from your system. You must not copy, distribute or take any > further action in reliance on it. Email is not a secure method of > communication and Nomura International plc ('NIplc') will not, to the > extent permitted by law, accept responsibility or liability for (a) the > accuracy or completeness of, or (b) the presence of any virus, worm or > similar malicious or disabling code in, this message or any > attachment(s) to it. If verification of this email is sought then > please > request a hard copy. Unless otherwise stated this email: (1) is not, > and > should not be treated or relied upon as, investment research; (2) > contains views or opinions that are solely those of the author and do > not necessarily represent those of NIplc; (3) is intended for > informational purposes only and is not a recommendation, solicitation > or > offer to buy or sell securities or related financial instruments. > NIplc > does not provide investment services to private customers. Authorised > and regulated by the Financial Services Authority. Registered in > England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St > Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of > companies. > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ma/default.aspx > > > PLEASE READ: The information contained in this email is confidential > and > intended for the named recipient(s) only. If you are not an intended > recipient of this email please notify the sender immediately and delete > your copy from your system. You must not copy, distribute or take any > further action in reliance on it. Email is not a secure method of > communication and Nomura International plc ('NIplc') will not, to the > extent permitted by law, accept responsibility or liability for (a) the > accuracy or completeness of, or (b) the presence of any virus, worm or > similar malicious or disabling code in, this message or any > attachment(s) to it. If verification of this email is sought then > please > request a hard copy. Unless otherwise stated this email: (1) is not, > and > should not be treated or relied upon as, investment research; (2) > contains views or opinions that are solely those of the author and do > not necessarily represent those of NIplc; (3) is intended for > informational purposes only and is not a recommendation, solicitation > or > offer to buy or sell securities or related financial instruments. > NIplc > does not provide investment services to private customers. Authorised > and regulated by the Financial Services Authority. Registered in > England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St > Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of > companies. > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ma/default.aspx > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ma/default.aspx > > > > PLEASE READ: The information contained in this email is confidential > and > intended for the named recipient(s) only. If you are not an intended > recipient of this email please notify the sender immediately and delete > your > copy from your system. You must not copy, distribute or take any > further > action in reliance on it. Email is not a secure method of communication > and > Nomura International plc ('NIplc') will not, to the extent permitted by > law, > accept responsibility or liability for (a) the accuracy or completeness > of, > or (b) the presence of any virus, worm or similar malicious or > disabling > code in, this message or any attachment(s) to it. If verification of > this > email is sought then please request a hard copy. Unless otherwise > stated > this email: (1) is not, and should not be treated or relied upon as, > investment research; (2) contains views or opinions that are solely > those of > the author and do not necessarily represent those of NIplc; (3) is > intended > for informational purposes only and is not a recommendation, > solicitation or > offer to buy or sell securities or related financial instruments. > NIplc > does not provide investment services to private customers. Authorised > and > regulated by the Financial Services Authority. Registered in England > no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St > Martin's-le-Grand, > London, EC1A 4NP. A member of the Nomura group of companies. > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ma/default.aspx > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
