stevenski
asked on
DHCP leased addresses to servers on a dedicated server subnet?
hi all.
i'm hoping someone can help me out with an answer regarding potential security issues enabling DHCP on a dedicated server subnet, i.e. allowing servers to obtain DHCP leased addresses.
a number of government organizations i have consulted for over the years have often stated that it is a security-based decision not to allow a DHCP server to lease addresses to dedicated server subnets. yes. in a LARGE number of cases, why would you even want a server to have a DHCP lease? just assign a static. but, in the virtual world, sysprep / cloned machines are becoming more and more common and they require DHCP if you want to automate joining a domain (among numerous other things). ever tried to assign a static IP address to a sysprep Windows Server 2008 cloned virtual server before the logon box is displayed? while possible, it's a pain in the 'a'.
anyway, i'm getting off topic. i'd really just like to know of any security issues you guys might know of other than '...but someone might get access to our server switch which is in a security coded room in a locked cabinet that requires a PIN and swipe card to get the key from the key safe, plug their rogue laptop in to a spare port and get an address' ;-)
thanks for listening.
stevenski.
i'm hoping someone can help me out with an answer regarding potential security issues enabling DHCP on a dedicated server subnet, i.e. allowing servers to obtain DHCP leased addresses.
a number of government organizations i have consulted for over the years have often stated that it is a security-based decision not to allow a DHCP server to lease addresses to dedicated server subnets. yes. in a LARGE number of cases, why would you even want a server to have a DHCP lease? just assign a static. but, in the virtual world, sysprep / cloned machines are becoming more and more common and they require DHCP if you want to automate joining a domain (among numerous other things). ever tried to assign a static IP address to a sysprep Windows Server 2008 cloned virtual server before the logon box is displayed? while possible, it's a pain in the 'a'.
anyway, i'm getting off topic. i'd really just like to know of any security issues you guys might know of other than '...but someone might get access to our server switch which is in a security coded room in a locked cabinet that requires a PIN and swipe card to get the key from the key safe, plug their rogue laptop in to a spare port and get an address' ;-)
thanks for listening.
stevenski.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks for giving me options, dave. i guess i was hoping for a solid answer as to 'why' as opposed to workarounds. still, i learnt something. cheers.
Yes, MAC addresses can be spoofed, and thus gain an IP address.
But...if you're already on the LAN, why not just assign the IP address manually. If there is no conflict, you don't even have to worry about someone getting booted and raising a flag.
If the servers are segregated in their own subnet for security, there should be a firewall controlling access to that subnet. The rules/flags should be there.
There shouldn't be the ability to get access directly (public internet) or remotely (VPN) or physically (facility security).