Fixing DHCP NAC Enforcement

Extreme's ExtremeXOS 11.6, available on the X450 and BlackDiamond switches are getting an uplift that starts to make DHCP NAC enforcement comparable to 802.1X for enforcement. The feature enhancement tracks DHCP leases as they are handed out and applies ACL's on access ports. Extreme has a solid foundation that enhances NAC DHCP enforcement, but needs to work on a few niggling, but critical details with handing mobile computers, before it is truly enterprise ready. DHCP lease awareness is not new. Cisco has a feature in IOS 12 called DHCP Snooping and IP Source Guard that offers similar functionality. Switching software from other infrastructure vendors like Foundry Networks, and Nortel, also have DHCP snooping features. The problem with DHCP enforcement for any kind of access control or network engineering is a well known problem. Ofir Arkin articulated the problems in a presentation at BlackHats 2006 titled Bypassing Network Access Control (NAC) Systems and shouldn't have been an earth shattering revelation to any one in networking. The easiest way to by-pass DHCP enforcement is to statically assign your host an IP address. In addition, spoofing an authorized DHCP server makes man in the middle attacks child's play.

Extreme's response to the mobility gap that I saw is that the new features are the first iteration of their DHCP control was really aimed at thwarting the casual attempts to defeating DHCP enforcement. Better enforcement is achieved through a defense in depth strategy. I agree that their technology will thwart the casual problems of trying to by-pass DHCP NAC enforcement (think office worker who wants to get on the network but for what ever reason doesn't want to call tech support), but I don't agree that defense in depth???throwing more products at the problem???is the best strategy.

DHCP EnforcementDHCP is a way to manage IP addresses in a LAN dynamically. An IP address pool is allocated and as hosts join the network, an address is removed from the pool and given out for a period of time. If the host stops using the IP address, the address can be recycled. It's a good way to manage a scarce resource. In addition, DHCP is used to configure the host. There is really no requirement for a host to use DHCP other than ease of use. You can easily bypass DHCP NAC enforcement by configuring your computer's IP address statically, provided you know the IP address range and required parameters like subnet mask and DNS servers for the network you are connecting to.

The only way to defeat DHCP bypassing is to have something in the network that knows what leases have been passed out to hosts and enforce only the authentic leases. Extreme is taking steps towards that goal with ExtremeXOS 11.6. DHCP awareness is configured on a per port basis. The switch monitors the DHCP exchange and extracts the DHCP IP address and host MAC address and binds those items together in an access control list (ACL) on the switch port. If the host tries to change it's IP address manually or attempts to access the network without using DHCP, the packets will be blocked at the switch port. Likewise, if the DHCP lease expires and the host is no longer on that port, the ACL will be removed.

What is compelling about DHCP enforcement coupled with switch knowledge about DHCP leases, is that you can still manage your IP space using DHCP, including managing network access control, without having to make big changes to your IP address management stragegy. Plus switch based DHCP enforcement is probably as granular as 802.1X without having to roll out a whole new infrastructure just for 802.1X. In addition, DHCP awareness is independent of DHCP NAC enforcement.Other enhacements include configuring switch ports a MAC limit of one MAC per port, a nice feature on access switches to stop people from extending an ad-hoc network by connecting a hub or switch down stream. Ports can also be configured as trusted DHCP ports meaning that only trusted DHCP ports will pass DHCP responses from DHCP servers. That stops the rogue DHCP server from taking down your network as well as the malicious attacker trying to establish man-in-the-middle via DHCP. In a later version of ExtremeXOS, multiple ACLs can be applied to a single port. If an unmanaged switch or hub is attached to a port, host ACL's applied to the switch port can restrict access just to hosts that have successfully DHCP lease requests. Sounds robust enough, but there are still issues.

There are always issuesDHCP awareness is not switch or fabric wide. Laptops, handhelds, and other mobile computers tend to move from one physical port to another. However, when that happens, it very possible that the host will simply renew their existing DHCP address on a new port, so the ACL exists on both the old port and the new one. That's not a horrible problem because an attacker would need to know what port and configuration the original host came from. But what should happen is that when a host moves from place to place, outdated ACLs should be cleaned up as new ones are applied.

What I don't know, is what happens if a host shows up on two ports? For example, discovering a host IP and MAC address within the same subnet is simple. If an attacker could successfully pose as a legitimate host and send a complete a DHCP cycle, it might be able to access the network bypassing DHCP. That's a significant problem that doesn't seem to be addressed by Extreme at this time.

DHCP awareness is a relatively new set of features on access switches. Vendor claims that a switch has DHCP snooping or enforcement may not mean what you think it does. You need to ask vendors about what happens in various cases such as:

Getting answers to those questions will give you a better idea of how strong DHCP enforcement will be.1011