"OTOH, I am wondering if it'd be possible to configure the routers so that they only allow DHCP OFFER/ACK/NACK from auth."
In case you weren't sure - this is exactly what I was suggesting you consider, in my first post :) neil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava Sent: 16 January 2007 13:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) Sorry for the delay on getting back on this, had a few things piled up after New Year's... You're right on the fact that routers isolating the VLANs limit the impact of this issue... The "problem" is that the idea is to re-configure routers to forward DHCP traffic, so that we get DHCP service on all VLANs from one/a few DHCP servers, instead of having to setup a DHCP server on each VLAN. Somebody suggested having a multi-homed DHCP server, with a "leg" on each VLAN, so that we get containment and DHCP service on every VLAN. I don't know at the moment if that's possible (I have to check with the client, to see if their network topology has a "hub" where all VLANs "come close"). OTOH, I am wondering if it'd be possible to configure the routers so that they only allow DHCP OFFER/ACK/NACK from auth. DHCP servers (something similar to what we've done with the local filtering on the workstations)... We'd still have problems with a rogue DHCP server in a VLAN, but we wouldn't have to go the "multi-homed server" route... Thanks a lot for the input received so far. It's made me explore several options that I had not considered ;) As always, a pleasure. Javier -----Mensaje original----- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: martes, 09 de enero de 2007 9:35 Para: ActiveDir@mail.activedir.org Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) Your last statement is true but then if routers restrict BOOTP traffic as I describe, then the rogue DHCP server will only affect the VLAN on which it exists. At least that way, you've reduced the impact. neil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava Sent: 08 January 2007 17:24 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) Hi, Neil!! That's another thing I'll have to look into :) I am aware that it's possile to do DHCP-proxy to pass along the DHCP requests to the proper servers. That's something that will have to be done, as the client's network is split in different VLAN segments, and in multiple locations/sites, and they'd like to have a reduced number of DHCP servers. But, useful and necessary as it is, this won't prevent a rogue/malicious DHCP server on the same LAN segment from playing havoc with the systems. Thanks for the heads-up though. Javier Jarava -----Mensaje original----- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: lunes, 08 de enero de 2007 14:33 Para: ActiveDir@mail.activedir.org Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) In addition to the below, routers can be configured to only forward BOOTP packets to/from 'authorised' DHCP servers. neil ___________________________ Neil Ruston Global Technology Infrastructure Nomura International plc Telephone: +44 (0) 20 7521 3481 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: 08 January 2007 13:27 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP servers? (or how do you find it?) > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava > Sent: 08 January 2007 12:20 > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP > servers? (or how do you find it?) > > Hi all! > > Just wondering, is there a way to "prevent" a rogue DCHP server from > playing havoc with a network? > > I have been digging into "dhcp security" but I haven't really found > anything that makes it possible to auth. a DHCP server, so that the > clients don't fall for a rogue one. > > >From what I've seen, the approach MS follows is that IF your DHCP > >server is > Windows-based, you have to "auth" it on the Domain. That prevents the > AD/infrastructure admins from shooting themselves on the foot by > having too many/improperly configured servers.. But that won't stop a > rogue VM from being a nuisance... > > I've found this problem in one of our customers sites. They use static > IP addressing, but we were setting up a few of their computers with a > different sw load and configuration, and they wanted to use DHCP to > make config changes more dynamic. When running on an isolated netowork > segment, all was fine, but once we moved "into" their network (to do a > pilot test) we found a DHCP server serving a range outside their own, > and really messing things up. You could try using DHCP classid. If you set it on your clients when you build them they will ignore anything with the "wrong" classid. I think you can also control via group policy. > What's more, nmap'ing the server, it had a VMWARE-owned MAC and no > open ports whatsoever (tcp/udp), at least that I could find. Strange > ;) > Probably an XP system with the firewall on. A real pain to manage > We managed to overcome the issuse because the software load included > an IP filtering component, so we decided to block > UDP/67 and UDP/68 traffic from all IP addresses and only allow it for > 255.255.255.255 and the IP address of the servers we were going to > use... But using a whitelist is a bit of a PITA, so I was wondering if > there was some other "cleaner" way to do it.. > > Thank a lot in advance > > Javier J > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ma/default.aspx > > ********************************************************************** This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk ********************************************************************** List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
