Manage Learn to apply best practices and optimize your operations.

Dynamic Host Configuration Protocol and security

What security considerations should I take into account when using Dynamic Host Configuration Protocol (DHCP) in...

a wide area network and local area network? Are there tools for securing DHCP?

There are two primary security concerns with DHCP. The first is in regard to who is allowed to obtain an IP address from your DHCP server. The second is protecting the DHCP server itself.

Most companies have taken the approach of simply trying to physically protect the access points to their network. If an intruder could physically connect to the network, he could get an IP address from the DHCP server. This becomes even more of an issue if you are using wireless access.

Others have attempted to solve this problem by using DHCP software that allows them to specify the Media Access Control address of the adapters allowed to obtain an IP address. This can be a high-maintenance solution if there is a lot of turnover in the equipment used on your network.

The DHCP server must be protected as well. It should not be accessible from the Internet. Some of the primary attacks against the DHCP servers have been denial-of-service (DoS) attacks. The DoS attacks can use up all the available IP addresses that the server can allocate, thus denying legitimate hosts the opportunity to get an IP address.

A decent paper written by Lasse Sundstrom on DHCP and related security problems can be found at http://www.cs.hut.fi/~ljs/dhcp/dhcp.pdf.


This was last published in July 2001

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments