20

How do DHCP and Static IP addressing compare, from a security standpoint? What are the risks/benefits associated with each?

I know the preferred solution between the two will vary with network size and layout, but I'm just looking for a more general explanation of how they compare.

Please answer from a security standpoint alone - disregarding topics such as network overhead and infrastructure costs, unless they directly and significantly affect the Confidentiality, Integrity, or Availability of the system.

AviD
  • 72,138
  • 22
  • 136
  • 218
Iszi
  • 26,997
  • 18
  • 98
  • 163

4 Answers4

21

DHCP offers do leak some information about a network. The options contained reveal certain details about network layout and infrastructure, which is what DHCP is designed to do. Static assignment offers none of this detail.

The threat here is unauthorized connection to the network. That can be either a device plugging into a live network jack or a wireless client gaining access to a WLAN. Once the unauthorized connection has taken place the ability of the attacker to do anything once they have connected is where DHCP vs. Static comes into play.

DHCP with MAC registration is the most robust DHCP model. It doesn't offer addresses to any MAC it hasn't been told about, so in theory unauthorized devices won't be offered information. The same holds true for static assignment, there is no server to ask for addressing.

DHCP without MAC registration will allow unauthorized devices to consume an IP address.

MAC registration requires all new devices of any type to be registered with the DHCP system which can significantly increase how long it takes for a new device to be functional. Not all network devices have their MAC posted where they can be easily read, so some edge-case devices may require some bench testing to figure out what MAC they're using. Plug-and-go won't work (by design!). Additionally, if existing devices have their network cards swapped out for some reason, technicians will have to remember to re-register the new MAC. Deregistration of old MACs is a critical step of this process, and often missed until a DHCP scope fills.

There are a couple of attacks that make DHCP with MAC registration less useful. If an attacker can place a bridge between an authorized device and its network port (such as a laptop with two NICs) it can figure out that device's MAC address very simply. Any traffic monitored in this way will reveal the MAC address of the authorized device. Most network cards allow changing the MAC address, so all the attacker has to do is change the MAC on one of their NICs, unplug the authorized device, plug their re-numbered device in, and get access on a registered MAC.

On wireless, once an attacker has successfully broken into a WLAN to the point where they can monitor the airwaves; gaining MAC information is similarly easy.

The defense for this is Network Access Control. In order to talk to the network the attached device needs to be able to authenticate at a machine level. This defends against unauthorized devices attaching to a network as it prevents significant network conversation from happening. In the above scenario, the attacker's device would be denied access. Not all devices CAN use NAC, notably network-attached printers, so an attacker can focus on those devices, which means that network-disconnection events need to be monitored on those ports.

sysadmin1138
  • 2,033
  • 13
  • 16
10

Generally speaking in a properly configured environment this choice won't really affect your security too much. That said DHCP may have a few holes worth considering.

With DHCP (assuming you're only handing out addresses to known clients) an unknown machine that jumps on the network won't be given an address. Now if you're handing out leases to any machine that plugs in you're opening up a security issue, but the answer there is "Don't do that!".
Theoretically someone could plug on to the network and look for broadcast messages, getting a sense of what your network looks like (DNS servers, routers, maybe some leaked info based on DHCP client IDs & the IP ranges that they get assigned to), but if people are plugging in to your (theoretically secure) network you have bigger fish to fry.

With static addresses and no DHCP server there's less natural information leakage (router & DNS info won't be handed out, and there won't be any DHCP client IDs to leak information either). Even in this case though if an attacker gets on to your network they can just sit there quietly sniffing traffic until they suss out the same information they would have gotten from DHCP broadcasts -- it will take them longer, and will be more difficult, but it's still possible.

Ideally you should be deactivating unused network ports, securing any wireless you have with good-quality WPA, and probably doing MAC address filtering at your access switches & wireless access points -- If you're doing all that it provides a substantial barrier to someone managing to get on to your network, and helps mitigate any information leaks they could get from DHCP (or sitting around and sniffing) by putting another obstacle between them and the soft underbelly of your network.

voretaq7
  • 336
  • 4
  • 11
5

One challenge with dynamically assigned IP addresses is that this can make it somewhat harder to build firewall rules. Often, firewall rules are built using hard-coded IP addresses for the hosts you're going to communicate with. If those hosts have a dynamic IP, then it's harder to code up a secure firewall policy for them.

(The reason why it's usually safest to use hard-coded IP addresses in your firewall policy, as opposed to a DNS hostname, is this way the security of your firewall is not vulnerable to DNS spoofing, DNS hijacking, or other DNS attacks.)

D.W.
  • 98,420
  • 30
  • 267
  • 572
  • Good point. This is why it is important to appropriately configure your IP pools and address reservations. – Iszi Jan 31 '11 at 14:12
4

Another security issue not mentioned here yet, is the possibility of man-in-the-middle attacks.

If an attacker deploy a rogue DHCP server, he can essentially become the gateway, both for communication to the intranet and the internet.

Mitigation for this type of attack, depends on the hardware used in the infrastructure. If your hardware support blocking rules pr. port, disallowing packets with source port 67.

If not, passively listening for rouge DHCP servers on the network is also an option.

Dog eat cat world
  • 5,759
  • 1
  • 27
  • 46