• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 292
  • Last Modified:

DHCP leased addresses to servers on a dedicated server subnet?

hi all.

i'm hoping someone can help me out with an answer regarding potential security issues enabling DHCP on a dedicated server subnet, i.e. allowing servers to obtain DHCP leased addresses.

a number of government organizations i have consulted for over the years have often stated that it is a security-based decision not to allow a DHCP server to lease addresses to dedicated server subnets.  yes.  in a LARGE number of cases, why would you even want a server to have a DHCP lease?  just assign a static.  but, in the virtual world, sysprep / cloned machines are becoming more and more common and they require DHCP if you want to automate joining a domain (among numerous other things).  ever tried to assign a static IP address to a sysprep Windows Server 2008 cloned virtual server before the logon box is displayed?  while possible, it's a pain in the 'a'.

anyway, i'm getting off topic.  i'd really just like to know of any security issues you guys might know of other than '...but someone might get access to our server switch which is in a security coded room in a locked cabinet that requires a PIN and swipe card to get the key from the key safe, plug their rogue laptop in to a spare port and get an address' ;-)

thanks for listening.

1 Solution
Dave HoweCommented:
DHCP assignment can be bound to MAC address - so it is little if any less secure than assigning it direct to the hardware, but with the bonus that all your config is in one place (so if you need to renumber or something, there is only one file to change not 50 gui options across 50 hosts)

you can also get a boot log for free (so detect when something reboots) and so forth.

cisco has some really nice security options along these lines - J random user can plug in their laptop, get a DHCP address.... and find themselves on a completely different vlan if the dhcp server didn't like the mac it got (or expected a x509 certificate but didn't get one)

that means it doesn't matter which port which type of device is plugged into - it ends up in the right subnet with the right type of IP, regardless of if it is a server, printer, authorized workstation or visitor's device.
You can assign permanent IP addresses by MAC address.
Yes, MAC addresses can be spoofed, and thus gain an IP address.
But...if you're already on the LAN, why not just assign the IP address manually.  If there is no conflict, you don't even have to worry about someone getting booted and raising a flag.

If the servers are segregated in their own subnet for security, there should be a firewall controlling access to that subnet.  The rules/flags should be there.

There shouldn't be the ability to get access directly (public internet) or remotely (VPN) or physically (facility security).
stevenskiAuthor Commented:
thanks for giving me options, dave.  i guess i was hoping for a solid answer as to 'why' as opposed to workarounds.  still, i learnt something.  cheers.

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now