Is there any sort of "Best Practices" paper for secure DHCP
implementation?
For example with a standard DHCP setup, what is to prevent someone from
sneaking into an empty office, jacking in an AirPort Express, and
sitting in
their car outside the building hacking away to their heart's content?
That
seems like something any script kiddie can pull off with minimal
effort.
DHCP isn't your security issue here, it is the ability for someone to
come in and plug a computer, or wireless access point (AirPort) into
your network without your authorization. Fix this before you worry
about the security issues of DHCP.
In the same light, what about someone that simply assigns an IP address
to their system and then plugs into your network. As long as this
address isn't in use at the same time, they will still have complete
access to your network.
If DHCP is just one big security risk, then what else is recommended?
We're
thinking of making our regular nodes all fixed IPs (but still NAT, of
course), and then opening up a small DHCP pool for guests. Hopefully
we can
then lock down that DHCP pool from having very much access to the
network or
even the internet.
If you are allowing a "small DHCP pool for guests", how will this be
any different than a large pool? People can drown in a mud puddle as
well as the Pacific Ocean.
How about only allowing only specific systems, identified by their MAC
or Ethernet addresses to obtain an IP address from your DHCP server?
This way, before someone can obtain an IP address from your server,
they will have to talk to you.
Or, if you are serious about security, many brands of network switches
can be programmed to only allow a specific computer (identified by it's
MAC/Ethernet address) to communicate on a particular port of the
switch. This controls who can even communicate on the network better
than worrying about handing out DHCP addresses. This is used to
prevent users from moving their computer from one location on the
network to another, such as between accounting and payroll, where the
network is segmented among different functional groups. In certain
situations this is a very important control mechanism.
Has anyone done anything like this? Is there a walkthrough the issues
involved and the steps necessary under OS X Server? Would that pool
need a
different subnet or even a different gateway?
If you are concerned about security, maybe you should consider moving
some of your functions off of your MacOS X server and put them on
dedicated hardware instead. MacOS X is very nice, but it isn't the
"best" firewall, or "best" DHCP server, or "best" anything (except for
AFP Server). If you are really concerned about the "best" part of
"best practices" then do so, but MacOS X is only a component of this
"best practices" and not a panacea for a well thought out operation.
