Presentation is loading. Please wait.

Presentation is loading. Please wait.

DHCP Security DHCP Snooping and Security David Mitchell 03/19/2008.

Published byBerniece Moore Modified over 8 years ago

Similar presentations

Presentation on theme: "DHCP Security DHCP Snooping and Security David Mitchell 03/19/2008."— Presentation transcript:

1 DHCP Security DHCP Snooping and Security David Mitchell 03/19/2008

2 DHCP Snooping What is the danger How do we mitigate it How it works What NETS will need Futures

3 What is the danger The DHCP server on a subnet performs some important tasks from a security point of view. Defines the default route. A malicious server could intercept all traffic leaving the subnet by providing the wrong server Defines the DNS server. A malicious server could redirect traffic to incorrect web sites.

4 How do we mitigate it Prevent every port on a subnet from being a valid source for DHCP server packets. Can be done with a simple Vlan Access List (VACL)‏ Can also be done intelligently via DHCP Snooping

5 Futures Once DHCP snooping is working and binding tables are up to date, the screws can be tightened. Switch can inspect all ARP responses to ensure that their contents match the DHCP lease for that port. (Some) switches can inspect all packets to ensure source MAC and IP match DHCP lease.

6 More Info http://www.cisl.ucar.edu/nets/internal/docs/trips/ 2007/dm-cisco-networkers-2007- notes/wednesday.html Includes notes on layer 2 attacks and their mitigations. http://www.cisl.ucar.edu/nets/internal/docs/trips/ 2007/dm-cisco-networkers-2007- notes/wednesday.html

7 How It Works Switch installs a VACL to intercept all DHCP packets and send them to the processor for interpretation. Snooping is enabled per-vlan on each switch. Ports in a VLAN are defined as trusted or untrusted depending on whether or not they are allowed to act as a DHCP server

8 How It Works Continued Switch tracks all DHCP requests and responses. Builds a table which defines which IP address and MAC binding is valid on each port. Optionally add the switch name and port to DHCP requests so the DHCP server will have that information.

9 What NETS Will Need Primarily a list of what subnets are doing DHCP and what ports have DHCP servers connected to them. List of what hosts are using static IP addresses.  NETS may be able to autogenerate this to some extent.  Increased usage of DHCP will reduce the need for this

Download ppt "DHCP Security DHCP Snooping and Security David Mitchell 03/19/2008."

Similar presentations

Mitigating Layer 2 Attacks

Mitigating Layer 2 Attacks
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.
CIM 2465 IP Addressing Scheme1 IP Addressing Scheme (Topic 4) Textbook: Networking Basics, CCNA 1 Companion Guide, Cisco Press Cisco Networking Academy.

CIM 2465 IP Addressing Scheme1 IP Addressing Scheme (Topic 4) Textbook: Networking Basics, CCNA 1 Companion Guide, Cisco Press Cisco Networking Academy.
Implementing Inter-VLAN Routing

Implementing Inter-VLAN Routing
An Attack at Indiana University ARP Poison Routing David A. Greenberg, GSEC, GCWN, GCFA Principal Security Engineer University Information Security Office.

An Attack at Indiana University ARP Poison Routing David A. Greenberg, GSEC, GCWN, GCFA Principal Security Engineer University Information Security Office.
Switching Topic 4 Inter-VLAN routing. Agenda Routing process Routing VLANs – Traditional model – Router-on-a-stick – Multilayer switches EtherChannel.

Switching Topic 4 Inter-VLAN routing. Agenda Routing process Routing VLANs – Traditional model – Router-on-a-stick – Multilayer switches EtherChannel.
CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.
Neutering Ettercap in Cisco Switched Networks For fun and Profit.

Neutering Ettercap in Cisco Switched Networks For fun and Profit.
DHCP Dynamic Host Configuration Part 7 NVCC Professional Development TCP/IP.

DHCP Dynamic Host Configuration Part 7 NVCC Professional Development TCP/IP.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.
Wireless and Switch Security NETS David Mitchell.

Wireless and Switch Security NETS David Mitchell.
Highly Available Central Services An Intelligent Router Approach Thomas Finnern Thorsten Witt DESY/IT.

Highly Available Central Services An Intelligent Router Approach Thomas Finnern Thorsten Witt DESY/IT.
History DHCP was first defined as a standards track protocol in RFC 1531 in October 1993, as an extension to the Bootstrap Protocol (BOOTP). The motivation.

History DHCP was first defined as a standards track protocol in RFC 1531 in October 1993, as an extension to the Bootstrap Protocol (BOOTP). The motivation.
CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Networking Components

Networking Components
Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007.

Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007.
DHCP Dynamic Host Configuration Protocol. What is DHCP?  It does name resolution (one more?!) DNS resolves IP numbers and FQDN WINS resolves NetBIOS.

DHCP Dynamic Host Configuration Protocol. What is DHCP?  It does name resolution (one more?!) DNS resolves IP numbers and FQDN WINS resolves NetBIOS.
Day15 IP Space/Setup. IP Suite of protocols –TCP –UDP –ICMP –GRE… Gives us many benefits –Routing of packets over internet –Fragmentation/Reassembly of.

Day15 IP Space/Setup. IP Suite of protocols –TCP –UDP –ICMP –GRE… Gives us many benefits –Routing of packets over internet –Fragmentation/Reassembly of.

Similar presentations

Ads by Google