"OTOH, I am wondering if it'd be possible to configure the routers so
that they only allow DHCP OFFER/ACK/NACK from auth."
In case you weren't sure - this is exactly what I was suggesting you
consider, in my first post :)
neil
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava
Sent: 16 January 2007 13:35
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP
servers? (or how do you find it?)
Sorry for the delay on getting back on this, had a few things piled up
after New Year's...
You're right on the fact that routers isolating the VLANs limit the
impact of this issue... The "problem" is that the idea is to
re-configure routers to forward DHCP traffic, so that we get DHCP
service on all VLANs from one/a few DHCP servers, instead of having to
setup a DHCP server on each VLAN.
Somebody suggested having a multi-homed DHCP server, with a "leg" on
each VLAN, so that we get containment and DHCP service on every VLAN. I
don't know at the moment if that's possible (I have to check with the
client, to see if their network topology has a "hub" where all VLANs
"come close").
OTOH, I am wondering if it'd be possible to configure the routers so
that they only allow DHCP OFFER/ACK/NACK from auth. DHCP servers
(something similar to what we've done with the local filtering on the
workstations)...
We'd still have problems with a rogue DHCP server in a VLAN, but we
wouldn't have to go the "multi-homed server" route...
Thanks a lot for the input received so far. It's made me explore several
options that I had not considered ;)
As always, a pleasure.
Javier
-----Mensaje original-----
De: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] En nombre de
[EMAIL PROTECTED] Enviado el: martes, 09 de enero de 2007 9:35
Para: ActiveDir@mail.activedir.org
Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP
servers? (or how do you find it?)
Your last statement is true but then if routers restrict BOOTP traffic
as I describe, then the rogue DHCP server will only affect the VLAN on
which it exists. At least that way, you've reduced the impact.
neil
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava
Sent: 08 January 2007 17:24
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP
servers? (or how do you find it?)
Hi, Neil!!
That's another thing I'll have to look into :) I am aware that it's
possile to do DHCP-proxy to pass along the DHCP requests to the proper
servers.
That's something that will have to be done, as the client's network is
split in different VLAN segments, and in multiple locations/sites, and
they'd like to have a reduced number of DHCP servers.
But, useful and necessary as it is, this won't prevent a rogue/malicious
DHCP server on the same LAN segment from playing havoc with the systems.
Thanks for the heads-up though.
Javier Jarava
-----Mensaje original-----
De: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] En nombre de
[EMAIL PROTECTED] Enviado el: lunes, 08 de enero de 2007 14:33
Para: ActiveDir@mail.activedir.org
Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP
servers? (or how do you find it?)
In addition to the below, routers can be configured to only forward
BOOTP packets to/from 'authorised' DHCP servers.
neil
___________________________
Neil Ruston
Global Technology Infrastructure
Nomura International plc
Telephone: +44 (0) 20 7521 3481
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
Sent: 08 January 2007 13:27
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP
servers? (or how do you find it?)
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava
> Sent: 08 January 2007 12:20
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Likely OT: :) Managing/preventing "rogue" DHCP
> servers? (or how do you find it?)
>
> Hi all!
>
> Just wondering, is there a way to "prevent" a rogue DCHP server from
> playing havoc with a network?
>
> I have been digging into "dhcp security" but I haven't really found
> anything that makes it possible to auth. a DHCP server, so that the
> clients don't fall for a rogue one.
>
> >From what I've seen, the approach MS follows is that IF your DHCP
> >server is
> Windows-based, you have to "auth" it on the Domain. That prevents the
> AD/infrastructure admins from shooting themselves on the foot by
> having too many/improperly configured servers.. But that won't stop a
> rogue VM from being a nuisance...
>
> I've found this problem in one of our customers sites. They use static
> IP addressing, but we were setting up a few of their computers with a
> different sw load and configuration, and they wanted to use DHCP to
> make config changes more dynamic. When running on an isolated netowork
> segment, all was fine, but once we moved "into" their network (to do a
> pilot test) we found a DHCP server serving a range outside their own,
> and really messing things up.
You could try using DHCP classid. If you set it on your clients when you
build them they will ignore anything with the "wrong" classid. I think
you can also control via group policy.
> What's more, nmap'ing the server, it had a VMWARE-owned MAC and no
> open ports whatsoever (tcp/udp), at least that I could find. Strange
> ;)
>
Probably an XP system with the firewall on. A real pain to manage
> We managed to overcome the issuse because the software load included
> an IP filtering component, so we decided to block
> UDP/67 and UDP/68 traffic from all IP addresses and only allow it for
> 255.255.255.255 and the IP address of the servers we were going to
> use... But using a whitelist is a bit of a PITA, so I was wondering if
> there was some other "cleaner" way to do it..
>
> Thank a lot in advance
>
> Javier J
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
**********************************************************************
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they are
addressed. As a public body, the Council may be required to disclose
this email, or any response to it, under the Freedom of Information
Act 2000, unless the information in it is covered by one of the
exemptions in the Act.
If you receive this email in error please notify Stockport e-Services
via [EMAIL PROTECTED] and then permanently remove it from
your system.
Thank you.
http://www.stockport.gov.uk
**********************************************************************
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete
your copy from your system. You must not copy, distribute or take any
further action in reliance on it. Email is not a secure method of
communication and Nomura International plc ('NIplc') will not, to the
extent permitted by law, accept responsibility or liability for (a) the
accuracy or completeness of, or (b) the presence of any virus, worm or
similar malicious or disabling code in, this message or any
attachment(s) to it. If verification of this email is sought then please
request a hard copy. Unless otherwise stated this email: (1) is not, and
should not be treated or relied upon as, investment research; (2)
contains views or opinions that are solely those of the author and do
not necessarily represent those of NIplc; (3) is intended for
informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised
and regulated by the Financial Services Authority. Registered in
England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St
Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of
companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete
your copy from your system. You must not copy, distribute or take any
further action in reliance on it. Email is not a secure method of
communication and Nomura International plc ('NIplc') will not, to the
extent permitted by law, accept responsibility or liability for (a) the
accuracy or completeness of, or (b) the presence of any virus, worm or
similar malicious or disabling code in, this message or any
attachment(s) to it. If verification of this email is sought then please
request a hard copy. Unless otherwise stated this email: (1) is not, and
should not be treated or relied upon as, investment research; (2)
contains views or opinions that are solely those of the author and do
not necessarily represent those of NIplc; (3) is intended for
informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised
and regulated by the Financial Services Authority. Registered in
England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St
Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of
companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx