Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP)

scottalanmiller

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

Any input is welcome, but please don't get side-tracked with this as I don't want to go down a rabbit-hole of explaining the why of everything.

Defining the goal is never a side track or a rabbit hole.

DustinB3403

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

Best solution is not to worry about this. Getting an IP is not a security concern. You want to block unwanted devices from the network entirely. There is no reason to want to block handing out IP addresses as they can just assign a static one to work around that.

This is true, but it assumes that the know what the scope is, and what available IP addresses are there that can be used without being noticed.

But still true.

No, does not assume that.

Okay. . . it assumes whoever is wanting on the LAN either knows or can figure out the scope trivially.

scottalanmiller

@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

Best solution is not to worry about this. Getting an IP is not a security concern. You want to block unwanted devices from the network entirely. There is no reason to want to block handing out IP addresses as they can just assign a static one to work around that.

This is true, but it assumes that the know what the scope is, and what available IP addresses are there that can be used without being noticed.

But still true.

No, does not assume that.

Okay. . . it assumes whoever is wanting on the LAN either knows or can figure out the scope trivially.

As that is a completely trivial task, it's a safe assumption.

scottalanmiller

DHCP has no mechanisms for what is designed here because it'sa useless thing to do. It is what it is.

scottalanmiller

The only answer that I can think of is....

use whitelisting and have no open DHCP and just pre-assign every DHCP lease. But logically, I think going to static would almost make more sense here.

scottalanmiller

Purpose of DHCP: To allow unknown devices to connect to the network and get network data.
Question: How to make DHCP do the opposite of its purpose.

That's why this won't work well. It's trying to make DHCP do exactly the opposite of its intended purpose.

travisdh1

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

Please, let's keep this on topic as much as possible as I am really just trying to nail down the best solution.

When I came into my job as IT admin, all our servers and workstations and thin clients were statically mapped, like manually, the hard way (no DHCP reservation). It's taken me a while but I rolled out DHCP for all our thin clients and desktops and everything is a lot easier to manage.

One of the security concerns that was brought up to me now was that anyone can plug their laptop into an open network jack and get an IP address and my boss is trying to get me to assign everything static again.

BEFORE YOU SAY IT: Yes, I know that either way is not actually secure and I've tried explaining that someone with Wireshark could still sniff our traffic or use other tools to get onto our network, etc.

I have mentioned that I specifically don't patch in network jacks unless they are needed by someone and that there are no open jacks just hanging out on random walls where customers have easy access.

So now, I am trying to find out the best way to set up DHCP and have it so that only the people I want on our network can get on.

First and foremost, we run a 2008 R2 domain controller and that is also our DHCP server. I noticed in the DHCP settings that there is a "Network Access Protection" tab, which would work with Network Policy Server. I would assume this is the go-to method for this in a Windows domain, but I have never heard about it until now.

Any input is welcome, but please don't get side-tracked with this as I don't want to go down a rabbit-hole of explaining the why of everything.

Sounds like you just need to pay for an hour of @scottalanmiller's time to explain how computer networks work in small words to your company management.

scottalanmiller

If security was teh goal, NAC is what is needed.

coliver

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

If security was teh goal, NAC is what is needed.

There a ton of decent NAC product. Even Microsoft's own will do what you want. https://packetfence.org/

But realistically if they come in and plug in to a live jack what will they have access to? Security comes in layers, why is having access to the network important if you have everything locked behind credentials?

dave247

@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

MAC address filtering would be one way, albeit I think it would be a lot of work to setup.

https://technet.microsoft.com/en-us/library/dd759190(v=ws.11).aspx

But what about Network Access Protection policies for DHCP?

dave247

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

If security was teh goal, NAC is what is needed.

As in, on the switches or what? Sorry, please elaborate.

DustinB3403

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

If security was teh goal, NAC is what is needed.

As in, on the switches or what? Sorry, please elaborate.

NAC Network Access Control.

JaredBusch

Disabling wall jacks is helpful. But what do you do when someone plugs into a live one. Or unplugs a live one to plug in their device.

When you start down this route, these are the issues you will encounter.

NAC sounds like what you actually want.

Disable DHCP totally get a NAC solution.

coliver

I'm surprised that @scottalanmiller hasn't posted his LAN-Less video yet.

dave247

@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

If security was teh goal, NAC is what is needed.

There a ton of decent NAC product. Even Microsoft's own will do what you want. https://packetfence.org/

But realistically if they come in and plug in to a live jack what will they have access to? Security comes in layers, why is having access to the network important if you have everything locked behind credentials?

Well I work at a financial institution and we have regular audits and exams and one of the things that has been asked in the past is if the auditor can plug their laptop into a jack and get an IP address. If yes, then we get a mark.

And yes, I know that it should be about real security, not about satisfying one of the items on a checklist. I am trying to take care of both here.

dave247

@jaredbusch said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

Disabling wall jacks is helpful. But what do you do when someone plugs into a live one. Or unplugs a live one to plug in their device.

When you start down this route, these are the issues you will encounter.

NAC sounds like what you actually want.

Disable DHCP totally get a NAC solution.

A NAC solution? As in a separate product? Doesn't Windows have one, like the Network Access Protection via the Network Policy Server?

coliver

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

Well I work at a financial institution and we have regular audits and exams and one of the things that has been asked in the past is if the auditor can plug their laptop into a jack and get an IP address. If yes, then we get a mark.

Wow... I know financial audits are crazy but that's the first time I've heard of that.

Look into a NAC solution. I've heard good things about PacketFence but Microsoft also has one. You'll need to ensure your switches support 802.1x for most of these solutions.

JaredBusch

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

If security was teh goal, NAC is what is needed.

There a ton of decent NAC product. Even Microsoft's own will do what you want. https://packetfence.org/

But realistically if they come in and plug in to a live jack what will they have access to? Security comes in layers, why is having access to the network important if you have everything locked behind credentials?

Well I work at a financial institution and we have regular audits and exams and one of the things that has been asked in the past is if the auditor can plug their laptop into a jack and get an IP address. If yes, then we get a mark.

And yes, I know that it should be about real security, not about satisfying one of the items on a checklist. I am trying to take care of both here.

There we go, a reason that means nothing. I can plug in my laptop, not get an IP, and stll figure out what the IP scheme is on your network. This is trivial stuff.

Disabling open ports would satisfy this requirement unless they do something stupid like unplug a valid machine from the network for their checklist.

coliver

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@jaredbusch said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

Disabling wall jacks is helpful. But what do you do when someone plugs into a live one. Or unplugs a live one to plug in their device.

When you start down this route, these are the issues you will encounter.

NAC sounds like what you actually want.

Disable DHCP totally get a NAC solution.

A NAC solution? As in a separate product? Doesn't Windows have one, like the Network Access Protection via the Network Policy Server?

It does yes. It's not bad and will, probably, do what you want. But it leaves a lot to be desired with reporting and actual usage can be a pain in the ass.

DustinB3403

BMW also had this kind of audit requirement and we simply took the point, and when it came to discussing it we sai the very same thing as @JaredBusch said.

And the point was removed because the "Audit" fails the "Logic Test".