This article provides recommendations for securing the DHCP server.
Following are security considerations when you choose to run DHCP on your
system:
- Restrict the number of users who have authority to administer DHCP. Administering
DHCP requires the following authority:
- Evaluate how physically accessible your LAN is. Could an outsider easily
walk into your location with a laptop and physically connect it to your LAN?
If this is an exposure, DHCP provides the capability to create a list of clients
(hardware addresses) that the DHCP server will configure. When you use this
feature, you remove some of the productivity benefit that DHCP provides to
your network administrators. However, you prevent the system from configuring
unknown workstations.
- If possible, use a pool of IP addresses that is reusable (not architected
for the Internet). This helps prevent a workstation from outside your network
from gaining usable configuration information from the server.
- Use the DHCP exit points if you need additional security protection. Following
is an overview of the exit points and their capabilities.
- Port entry
- The system calls your exit program whenever it reads a data packet from
port 67 (the DHCP port). Your exit program receives the full data packet.
It can decide whether the system should process or discard the packet. You
can use this exit point when existing DHCP screening features are not sufficient
for your needs.
- Address assignment
- The system calls your exit program whenever DHCP formally assigns an address
to a client.
- Address release
- The system calls your exit program whenever DHCP formally releases an
address and places it back in the address pool.