Enterprise security is a challenge, to say the least. And when you’ve got deployments running in an open network environment, your challenges multiply. Huawei’s enterprise networking architecture is designed to work across multiple public clouds and within single clouds.
BACKGROUND INFORMATION
Open networks differ from privates one, as the need for heightened security is more pronounced. Assigning an IP address to each terminal is possible via a specific mechanism. For the purpose of assigning the IP address dynamically to the access users, the DHCP protocol is introduced. DHCP works by locating the IP address for users automatically, thus helping to reduce administrators’ tasks. In doing so, however, there are several implications.
The convenience of using a DHCP protocol is hard to overlook. However, at the same time, that opens the venue for more potential attacks. There is a possibility for a malicious attack utilizing the DHCP server on a third-party PC and redirecting guests of the open network to the attacker’s own DHCP server. In this case, the information from the guests’ computers might be intercepted by the hacker. Fortunately, there is a way to curb this risk by introducing the feature DHCP snooping.
WHAT IS DHCP SNOOPING?
DHCP snooping ensures that DHCP clients obtain IP addresses only from authorized DHCP servers and a DHCP snooping-enabled device records mappings between IP addresses and MAC addresses of DHCP clients, thus preventing DHCP attacks on the network. This layer 2 security technology is integrated into the operating system of a capable network switch that drops DHCP traffic determined to be unacceptable.
HOW DOES DHCP SNOOPING WORK?
Looking at a sample network as the one illustrated in the diagram below, we see the mechanism of guests obtaining IP addresses from the DHCP server and how they use it to connect to the Internet.
When the hacker implements a spoofing DHCP server on the network, the guest might get IP addresses from the spoofing DHCP server, as illustrated in the figure below. Such a rogue kind of DHCP servers is often used in man in the middle or denial of service attacks for malicious purposes. In other common DoS attacks, an end-user can plug in a consumer-grade router at their desk, not knowing that the device they plugged in is a DHCP server by default.
In this situation, the traffic from the guest is transferred to the spoofing DHCP server, resulting in the hacker gaining access to the private information of the guests.
THE BENEFITS OF DHCP SNOOPING
With the help of the DHCP snooping mechanism, such attacks can be avoided. DHCP snooping will drop DHCP messages from a DHCP server that is not trusted. Only trusted DHCP servers are identified and guests will obtain IP addresses from the real DHCP server, whereas requests from the rogue one will be intercepted and blocked. DHCP server messages will be dropped if attempting to flow through a switchport that is not trusted.
In addition to blocking the rogue DHCP server, DHCP snooping has additional benefits. It is capable of dropping messages that release a lease or decline an offer, if the release or decline message is received on a switchport other than the port that the original DHCP conversation was held. This is achieved by th DHCP snooping protocol analyzing and recording DHCP Request messages and Reply messages. A binding entry contains the MAC address, IP address, interface number, and Virtual Local Area Network (VLAN) ID of the DHCP client.
Based on the binding table, the device drops the bogus DHCP messages where the attacker forges DHCP packets using the MAC address and another assigned IP address.
THE BOTTOM LINE
The DHCP snooping protocol is particularly useful in an open network, as it is strongly recommended to implement it to block potential attacks. From an enterprise network design perspective, DHCP snooping is an access layer security feature. Therefore, only whitelisted IP addresses may access the open network.
DHCP snooping is an important component in the defense of enterprises. By dropping traffic determined to be unacceptable, DHCP allows you to securely manage the networks’ IP addresses scopes and other TCP/IP settings like DNS, Default Gateway, etc. from the central DHCP server.
For large companies with hundreds of employees working in an office or remotely – that each require an IP address, subnet mask, default gateway, DNS servers, and other network setting – DHCP snooping is a critical “must have” network service.
In an increasingly interconnected environment, enterprises must stay on top of managing their guests by assigning, tracking and re-assigning IP addresses remotely, securely and easily.
