I thought up a neat way to let DHCP help keep a network secure. The way most DHCP servers are set up now, they dish out IP addresses to random systems which appear on your network. Once the box is on the net, it can do all sorts of damage, like release the Blaster virus.
I’m going to play around with making DHCP send a “quarantine” IP address to any new systems on the network, providing it no gateway or other info. Once that system has been suitably vulnerability scanned, THEN it would get a real IP. It would initially get a low renewal rate on its quarantined IP, so that once it was clean, it will immediately get its new address.
It won’t stop all problems, but it does bring an extra measure of security to the network.
If you want to add more security, just hardcode the MAC addresses for legitimate devices in the DHCP table. If a new device is connected to the network, it won’t get an IP address (let alone the gateway, DNS, etc.) until you say so. This setup is more of a nuisance to administer, but it prevents your DHCP server from trusting every random stranger that shouts “Hey, I need IP config info!”
Of course, this isn’t perfect. Nothing prevents someone from hardcoding the IP info in a device and using the network anyway….
But the beauty of the idea is that the DHCP server can act as the pseudo-gatekeeper of the network. While its true that someone could hardcode their IP address, most lazy people won’t. And its the lazy people – those who don’t keep their systems patched – that I’m hoping to clean up before granting them access to my network.
And I’m lazy too. 🙂 That’s why coding the MAC address isn’t an option.