6

Most places I've worked at consider DHCP to be a bad idea for management networks, or "secured" networks. I'm curious as to why that is.

Consider this scenario...

  • There is an ISCSI storage network, say, 10.1.1.0/24
  • Clients have an interface for external communication, and a second interface on this ISCSI storage network to access storage volumes.

Am I not just adding extra complexity to the provisioning process by requiring humans to manage and assign IP addresses? It seems much easier to me to use an existing technology for this purpose.

My logic is that if a malicious actor is able to connect to the "secure" network and get an IP address, you have much bigger problems from a security standpoint than DHCP. Regardless, the malicious device could just self assign an IP address, since most networks have a gateway at x.x.x.1 and subnet mask of /24.

thisguy123
  • 161
  • 1
  • 2
  • I never used DHCP on management networks, not for security considerations, but for reliability. You *never* want to be in a situation where DHCP fails for some reason causing you to lose management access to your devices. – YLearn Jul 13 '18 at 17:36

2 Answers2

1

My logic is that if a malicious actor is able to connect to the "secure" network and get an IP address, you have much bigger problems from a security standpoint than DHCP

I partially agree with that but from a network-security point of view, DHCP can be an extra possible attacking vector for the internal network so it is considered a risk. I guess DHCP is considered insecure cause it can be abused by attackers. Two well known DHCP related attacks are the following:

  • DHCP starvation attack
  • DHCP spoofing which leads to MITM

In most cases through DHCP an attacker may be able to obtain or in some cases modify useful information (not only trivial things like the gateway ip) like:

  • the DNS servers (e.g. can be useful for DNS spoofing attacks)
  • the domain name
  • client host names (e.g. that might be useful for targeted attacks)

Also in some networks other things might also be configured through DHCP server like NetworkManager, NETBIOS servers, NIS servers, NTP servers etc...So for example, by abusing/exploiting DHCP you might be able to also abuse those services. An other example is shellshock, which can also be exploited over DHCP.

So I guess since DHCP is known to be usefull for attackers, it is considered one more possible attacking vector and that is why it may be considered a risk.

game0ver
  • 585
  • 4
  • 12
  • If someone is able to get on your management network aren't the above attacks trivial? They would have to have either 1. Admin level access to your hypervisor or 2. Physical access to your network. – thisguy123 Jul 13 '18 at 18:48
  • Yes, but DHCP offers an alternative way to perform those attacks. For example most people when hear about MITM they think about arp-spoofing which is more common, so a sysadmin may think to secure his network against it, but then DHCP gives an alternative way. In my opinion it has to do with the configuration. If you are sure you can setup DHCP in way that everything is going be secure then it's ok, but that's not always the case. – game0ver Jul 13 '18 at 19:00
  • Of course MITM was just an example, the same thing occurs with the other attacks also. In addition the majority of DHCP setups tend to leak a lot of information. Imagine being in a network with 50 hosts, and your task is to pen-test a certain host. Then getting the hostnames would possible make it trivial. – game0ver Jul 13 '18 at 19:02
1

Yes, DHCP could be another way for attacker to breach your security but it may not be the only source.

For example IP spoofing could be initiated with other ways as well not only through DHCP.

Please refer this stack question: How does IP address spoofing on the Internet work? Who can do it?

In my opinion you can still use DHCP with proper hardening of the way you use DHCP protocol, some of such measures could be:

Authenticated DHCP - You may implement the authentication mechanism on top of DHCP protocol. Please refer: https://social.technet.microsoft.com/Forums/windowsserver/en-US/5411f480-a1ed-41a8-a333-0df3cf716718/dhcp-authentication?forum=winserverPN

MAC (enabled) filtering DHCP - By implementing MAC binding or filtering, you are increasing the security by only limiting the dhcp IP allocation to particular hosts only. Please refer: https://technet.microsoft.com/en-us/library/ff521761.aspx

Combination of mechanism - You may use these additional security mechanisms in combination to tighten the security.

On conclusion, it could be better if you can use assigned IP addresses to the secure zone nodes but If you have a situation in case where you have to use DHCP, you may harden it as explained above to use it in secure way.

Sayan
  • 2,033
  • 1
  • 11
  • 21