Securing DHCP

The DHCP protocol is effectively insecure. There is no way to determine if a request from a client is legitimate or is malicious. Users who have evil intentions can conduct denial-of-service attacks against the DHCP server by simply requesting all available IP addresses in a range, effectively disallowing legitimate users from being granted IP addresses. For this and other reasons, it is important to keep wired security as a high priority. Although this point might seem obvious, keeping potential intruders physically off a network is a must, not only for DHCP but for other network services prone to denial-of-service attacks. This includes auditing the security of wireless networks, such as 802.11b, which can (and often do) provide unrestricted access to malicious users.

When securing DHCP services is required, link layer filtering should be enabled for both Allow and Deny lists. This will ensure that only the desired and approved clients can receive an IP address and all others will be ignored. Also, deploying a Network Policy Server (NPS) and configuring an appropriate health policy can be performed, and the DHCP server can be configured to check a client’s health information with the NPS server and deny a lease if the system does not meet the health policy. More information on Network Policy Servers can be found in Chapter 15.