Friday, September 6, 2013

Implement DHCP Snooping - rogue prevention

Why we need to secure an Enterprise DHCP server ?


DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. The fundamental use case for DHCP snooping is to prevent unauthorized (rogue) DHCP servers offering IP addresses to DHCP clients. Rogue DHCP servers are often used in man in the middle or denial of service attacks for malicious purposes. However, the most common DoS scenario is that of an end-user plugging in a consumer-grade router at their desk, ignorant that the device they plugged in is a DHCP server by default.

DHCP snooping will drop DHCP messages from a DHCP server that is not trusted. Trusted DHCP servers are identified by configuring a switchport’s DHCP snooping trust state. DHCP server messages can flow through switchports that have a DHCP snooping trusted state. DHCP server messages will be dropped if attempting to flow through a switchport that is not trusted.

Now let us look at a small diagram I have created with a snooping switch and a DHCP L3 switch, with a rogue DHCP server inside the network.


First we should configure the snooping option on the global config via the Snooper switch CLI.

SNOOPER(config)#ip dhcp snooping

I have created a VLAN 100 , so we must enable DHCP packet snooping for this VLAN.

SNOOPER(config)#ip dhcp snooping vlan 100

Then we must setup trusted interface between the SNOOPER and the DHCP Server. This is a trunk interface configured to traverse all VLANs.

SNOOPER(config)#int fa0/11
SNOOPER(config-if)#ip dhcp snooping trust

This is all on can do for a simple DHCP SNOOPING option. This will prevent the ROGUE DHCP server to traverse DHCP packets to the VLAN100 and confuse the client PC.

More options one can set, in a more complex scenario can be bound found at this link.

Thanks.

No comments:

Post a Comment