On Mon, Mar 30, 2009 at 11:31 AM, John Hornbuckle
<[email protected]> wrote:
> The Auditor General's office has asked us how we prevent the introduction of 
> unauthorized DHCP/DNS servers on our network.
> How do you guys accomplish this? From the research I've done, there's no easy 
> way to do it.

  We don't currently accomplish it.

  Unauthorized DNS?  Unless someone else knows to use it, what's the
point?  If you're worried about someone bypassing your own DNS
servers, use an IP firewall to block packets to UDP or TCP port 53
with a source addresses that's not your DNS servers.  If you're
worried about someone impersonating your DNS servers, see above about
people having to seek out the unauthorized servers.  Of things to
worry about, that's low on my list.

  DHCP's a more serious problem.  A rogue DHCP server can cause a
whole network to have a really bad day.  It's trivially easy, too;
someone just has to plug the LAN side of one of those SOHO routers
into a corporate LAN jack, not realizing that a router is more than
just "more network ports".

  Techniques you can use include:

* Manual MAC address locking on switch ports.  Have the switch drop
frames that don't come from the PC plugged into that port.  When the
luser plugs in their LinkSys router, it's DHCP responses will never
make it past the switch port.  Doesn't need client support, but does
mean you have to keep track of MAC addresses everywhere.  Won't help
if a legitimate device has a DHCP server added to it.  (The fix there
is, surprise, not to give people admin rights.  Amazing how many
problems that solves.)

* Automatic MAC address locking on switch ports.  Our HP ProCurve
switches have a feature where the first MAC address they see becomes
locked to the port.  So it's kind of like the manual method with
auto-learning.  You still have to reset the port on an equipment
change, and it won't help you if the first device plugged into a port
is the rouge.

* Broadcast filtering.  Only allow data link broadcasts from user
switch ports to reach approved ports (with servers/routers attached).
This will also prevent user-to-user network communication.  I've
mainly seen/read of this being done by ISPs on metro networks.  Not
sure how well this would work in a non-trivial Windows LAN.  This will
work even if a legit node has a rogue DHCP server added.

* Network Access Control, e.g., IEEE 802.11x.  Arguably the most
technologically sophisticated method, but requires endpoints to
support it.  Also won't help the DHCP on legit node problem, AFAIK.

* Switches which can do IP filtering (layer 3), and simply block DHCP
responses from anything not approved.  Should be full-proof, but also
rather expensive -- you're effectively putting a firewall on each and
every LAN port.

* Threaten to beat lusers over the head with their SOHO router if they
plug it in.  This is currently the method I'm using.  Cheap, and very
rewarding for the sysadmin.  ;-)

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Reply via email to