
DHCP snooping
    
    Encyclopedia
    
        In computer networking DHCP snooping is a series of techniques applied to ensure the security of an existing DHCP infrastructure.
When DHCP
servers are allocating IP address
es to the clients on the LAN
, DHCP snooping can be configured on LAN switches to harden the security on the LAN to allow only clients with specific IP/MAC address
es to have access to the network.
With DHCP snooping, only a whitelist of IP addresses may access the network. The whitelist is configured at the switch port level, and the DHCP server manages the access control. Only specific IP addresses with specific MAC address
es on specific ports may access the IP network.
DHCP snooping also can prevent attackers from adding their own DHCP servers to the network. An attacker-controlled DHCP server could cause malfunction of the network or even control it.
DHCP snooping is an important component in the defense against ARP spoofing
. ARP security checks the IP address in the Source Protocol Address field of ARP packets. If that IP address is not an address that DHCP snooping has recorded as being in use by a host connected to the ingress port of the ARP, then the ARP packet is dropped.
, a portable handler daemon that helps secure the ARP protocol in order to prevent a Man In The Middle (MITM) attack through ARP Spoofing, ARP Cache Poisoning, and ARP Poison Routing (APR) attacks. It blocks also the derived attacks by it, which Sniffing, Hijacking, Injection, Filtering & co attacks for more complex derived attacks, as: DNS Spoofing, WEB Spoofing, Session Hijacking and SSL/TLS Hijacking & co attacks.
When DHCP
Dynamic Host Configuration Protocol
The Dynamic Host Configuration Protocol  is a network configuration protocol for hosts on Internet Protocol  networks. Computers that are connected to IP networks must be configured before they can communicate with other hosts.  The most essential information needed is an IP address, and a default...
servers are allocating IP address
IP address
An Internet Protocol address  is a numerical label assigned to each device  participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
es to the clients on the LAN
Local area network
A local area network  is a computer network that interconnects computers in a limited area such as a home, school, computer laboratory, or office building...
, DHCP snooping can be configured on LAN switches to harden the security on the LAN to allow only clients with specific IP/MAC address
MAC address
A Media Access Control address  is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are used for numerous network technologies and most IEEE 802 network technologies, including Ethernet...
es to have access to the network.
Description
DHCP snooping is a series of layer 2 techniques that ensures IP integrity on a Layer 2 switched domain. It works with information from a DHCP server to:- Track the physical location of hosts.
- Ensure that hosts only use the IP addresses assigned to them.
- Ensure that only authorized DHCP servers are accessible.
With DHCP snooping, only a whitelist of IP addresses may access the network. The whitelist is configured at the switch port level, and the DHCP server manages the access control. Only specific IP addresses with specific MAC address
MAC address
A Media Access Control address  is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are used for numerous network technologies and most IEEE 802 network technologies, including Ethernet...
es on specific ports may access the IP network.
DHCP snooping also can prevent attackers from adding their own DHCP servers to the network. An attacker-controlled DHCP server could cause malfunction of the network or even control it.
DHCP snooping is an important component in the defense against ARP spoofing
ARP spoofing
ARP spoofing, also known as ARP cache poisoning or ARP poison routing , is a technique used to attack a local-area network . ARP spoofing may allow an attacker to intercept data frames on a LAN, modify the traffic, or stop the traffic altogether...
. ARP security checks the IP address in the Source Protocol Address field of ARP packets. If that IP address is not an address that DHCP snooping has recorded as being in use by a host connected to the ingress port of the ARP, then the ARP packet is dropped.
Implementations
An open source solution is ArpONArpON
ArpON  is a computer software project to improve network security.-Motivation:The Address Resolution Protocol  has security issues. These include the Man In The Middle  attack through ARP Spoofing, ARP Cache Poisoning or ARP Poison Routing  attacks...
, a portable handler daemon that helps secure the ARP protocol in order to prevent a Man In The Middle (MITM) attack through ARP Spoofing, ARP Cache Poisoning, and ARP Poison Routing (APR) attacks. It blocks also the derived attacks by it, which Sniffing, Hijacking, Injection, Filtering & co attacks for more complex derived attacks, as: DNS Spoofing, WEB Spoofing, Session Hijacking and SSL/TLS Hijacking & co attacks.
External links
- ArpON home page
- Configure your Catalyst to be more secure http://www.enterprisenetworkingplanet.com/netsecur/print.php/3462211


