On Mon, Mar 30, 2009 at 11:31 AM, John Hornbuckle <[email protected]> wrote: > The Auditor General's office has asked us how we prevent the introduction of > unauthorized DHCP/DNS servers on our network. > How do you guys accomplish this? From the research I've done, there's no easy > way to do it.
We don't currently accomplish it. Unauthorized DNS? Unless someone else knows to use it, what's the point? If you're worried about someone bypassing your own DNS servers, use an IP firewall to block packets to UDP or TCP port 53 with a source addresses that's not your DNS servers. If you're worried about someone impersonating your DNS servers, see above about people having to seek out the unauthorized servers. Of things to worry about, that's low on my list. DHCP's a more serious problem. A rogue DHCP server can cause a whole network to have a really bad day. It's trivially easy, too; someone just has to plug the LAN side of one of those SOHO routers into a corporate LAN jack, not realizing that a router is more than just "more network ports". Techniques you can use include: * Manual MAC address locking on switch ports. Have the switch drop frames that don't come from the PC plugged into that port. When the luser plugs in their LinkSys router, it's DHCP responses will never make it past the switch port. Doesn't need client support, but does mean you have to keep track of MAC addresses everywhere. Won't help if a legitimate device has a DHCP server added to it. (The fix there is, surprise, not to give people admin rights. Amazing how many problems that solves.) * Automatic MAC address locking on switch ports. Our HP ProCurve switches have a feature where the first MAC address they see becomes locked to the port. So it's kind of like the manual method with auto-learning. You still have to reset the port on an equipment change, and it won't help you if the first device plugged into a port is the rouge. * Broadcast filtering. Only allow data link broadcasts from user switch ports to reach approved ports (with servers/routers attached). This will also prevent user-to-user network communication. I've mainly seen/read of this being done by ISPs on metro networks. Not sure how well this would work in a non-trivial Windows LAN. This will work even if a legit node has a rogue DHCP server added. * Network Access Control, e.g., IEEE 802.11x. Arguably the most technologically sophisticated method, but requires endpoints to support it. Also won't help the DHCP on legit node problem, AFAIK. * Switches which can do IP filtering (layer 3), and simply block DHCP responses from anything not approved. Should be full-proof, but also rather expensive -- you're effectively putting a firewall on each and every LAN port. * Threaten to beat lusers over the head with their SOHO router if they plug it in. This is currently the method I'm using. Cheap, and very rewarding for the sysadmin. ;-) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
