Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

  1. Home
  2. Data-centers
  3. Fixing-dhcp-nac-enforcement
  4. Page
  5. Fixing DHCP NAC Enforcement: Page 2 of 2
Data Centers

Fixing DHCP NAC Enforcement: Page 2 of 2

Extreme's ExtremeXOS 11.6, available on the X450 and BlackDiamond switches are getting an uplift that starts to make DHCP NAC enforcement comparable to 802.1X for enforcement. The feature enhancement tracks DHCP leases as they are handed out and applies ACL's...
February 05, 2007

Other enhacements include configuring switch ports a MAC limit of one MAC per port, a nice feature on access switches to stop people from extending an ad-hoc network by connecting a hub or switch down stream. Ports can also be configured as trusted DHCP ports meaning that only trusted DHCP ports will pass DHCP responses from DHCP servers. That stops the rogue DHCP server from taking down your network as well as the malicious attacker trying to establish man-in-the-middle via DHCP. In a later version of ExtremeXOS, multiple ACLs can be applied to a single port. If an unmanaged switch or hub is attached to a port, host ACL's applied to the switch port can restrict access just to hosts that have successfully DHCP lease requests. Sounds robust enough, but there are still issues.

There are always issues
DHCP awareness is not switch or fabric wide. Laptops, handhelds, and other mobile computers tend to move from one physical port to another. However, when that happens, it very possible that the host will simply renew their existing DHCP address on a new port, so the ACL exists on both the old port and the new one. That's not a horrible problem because an attacker would need to know what port and configuration the original host came from. But what should happen is that when a host moves from place to place, outdated ACLs should be cleaned up as new ones are applied.

What I don't know, is what happens if a host shows up on two ports? For example, discovering a host IP and MAC address within the same subnet is simple. If an attacker could successfully pose as a legitimate host and send a complete a DHCP cycle, it might be able to access the network bypassing DHCP. That's a significant problem that doesn't seem to be addressed by Extreme at this time.

DHCP awareness is a relatively new set of features on access switches. Vendor claims that a switch has DHCP snooping or enforcement may not mean what you think it does. You need to ask vendors about what happens in various cases such as:

  • What happens if a host impersonates an existing host?
  • How much DHCP state is maintained on the switch?
  • How is mobility addressed? Speifically, what happens if a host moves from port to port?
  • Is the DHCP awareness switch wide or fabric wide?

Getting answers to those questions will give you a better idea of how strong DHCP enforcement will be.
1011

Tags:

Commentary
Data Centers