Main Nav

Message from ahockett@warnerpacific.edu

All ~

 

Upon coming back from a nice break from work, we ended up having issues with a Rogue DHCP server spewing out 192.168.x.x addresses on our student VLAN.  The way our network is setup right now is that we are allowing any and all traffic over our employee VLAN and our student VLAN.  Yes we have plans to clamp this down to truly segment the traffic but this led me to ask the question to the listserv on how do people deal with the rogue DHCP servers?  Also, do you have a plan in place that allows students to have a WAP on the student VLAN without any disruption to the other students’ network access?

 

So the tl;dr :

-          How do you address/find/monitor for rogue DHCP servers?

-          How do you deal with them once found? (Like best troubleshooting steps once the MAC address is found)

-          How do you allow or disallow NAT’ed WAP’s interference with normal network operations?

 

Thanks.

 

-Aaron

 

 

mysteries made known

Aaron Hockett
Network Systems and Securities Manager 

Warner Pacific College
2219 SE 68th Ave.
Portland, OR 97215
 

ahockett@warnerpacific.edu
www.warnerpacific.edu 

tel:
fax:

503-517-1203

503-517-1352

 

This message is intended for the sole use of the individual to whom it is addressed. It may contain information that is privileged, confidential or exempt from disclosure under applicable laws. If you are not the intended addressee you are hereby notified that you may not use, copy, disclose, or distribute to anyone this message or any information contained within this message. If you have received this message in error, please immediately advise the sender by replying to this email and delete this message.

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

AttachmentSize
image001.jpg2.51 KB

Comments

Aaron,

Most switch vendors have a dhcp_snooping service that will block any dhcp service from any untrusted port.  Cisco and HP do.  If you enable that service appropriately, you should never have this problem.  I would expect other vendors to support this feature as well.

Tim

 

Message from fkass@mtholyoke.edu

Hi Aaron,

I use DHCP Snooping on Cisco switches (I know HP Procurve and Juniper have the same ability):

(That is the 6500 doc but they have a doc for most modern models of Cisco switches)

This blocks all DHCP servers from unauthorized ports and also can log them to a syslog server.  Then I have a script which alerts me to the attempts and if they go on for awhile I email the students in the room (and suggest if they don't fix it we will shut off the port).

We currently allow NAT WAPs in our dorms but strongly discourage their use.  Our dorm wireless coverage is pretty good so I think I only have about 5 of them (They need to register them with us for them to work due to the way our NAC works).

-Fred

P.S. If you are running Cisco I also highly recommend using bpduguard for taking out looped ports as well.

Message from ahockett@warnerpacific.edu

All,

 

Thanks for the feedback.  Our Juniper EX4200 does have DHCP Snooping and I am doing some research on turning that on for our respective VLAN’s.  I’m assuming this is generally the best practice as it limits DHCPREQUEST packets to be inspected and only come and go from one MAC address correct?

 

-Aaron

 

From: The EDUCAUSE Network Management Constituent Group Listserv [mailto:NETMAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Fred Kass
Sent: Tuesday, January 17, 2012 12:50 PM
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] Hunting down rogue DHCP servers as well as allowing them.

 

Hi Aaron,

 

I use DHCP Snooping on Cisco switches (I know HP Procurve and Juniper have the same ability):

 

(That is the 6500 doc but they have a doc for most modern models of Cisco switches)

 

This blocks all DHCP servers from unauthorized ports and also can log them to a syslog server.  Then I have a script which alerts me to the attempts and if they go on for awhile I email the students in the room (and suggest if they don't fix it we will shut off the port).

 

We currently allow NAT WAPs in our dorms but strongly discourage their use.  Our dorm wireless coverage is pretty good so I think I only have about 5 of them (They need to register them with us for them to work due to the way our NAC works).

-Fred

P.S. If you are running Cisco I also highly recommend using bpduguard for taking out looped ports as well.

 

Message from chickernell@clarion.edu

We also have implemented DHCP Snooping on our Cisco network.  We do not actively find or monitor for rogue DHCP servers—DHCP snooping has done well for this.

 

We do not permit personally owned wireless AP/Router’s on campus to avoid interference with the enterprise wireless.  Students that live in halls without wireless complain about this policy, but when their Internet gets disabled and they get documented because someone else was sharing music over their personal access point—they understand why we have this policy.

 

Christopher Hickernell, CCNA, MCSE

Network Support Specialist, ResNet Manager

Clarion University of Pennsylvania

Center for Computing Services

G-13 Still Hall, Clarion, PA 16214

chickernell@clarion.edu | 814.393.2218

 

Aaron,

In HP world, you simply configure every port for dhcp_snooping as untrusted except for the port that the dhcp server is actually plugged into and any uplink ports.  You should also be able to set an authorized-server to the ip address of your dhcp server.   I don’t think you will need to do anything with mac addresses. 

 Tim

 

From: The EDUCAUSE Network Management Constituent Group Listserv [mailto:NETMAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Aaron Hockett
Sent: Tuesday, January 17, 2012 3:07 PM
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] Hunting down rogue DHCP servers as well as allowing them.

 

All,

 

Thanks for the feedback.  Our Juniper EX4200 does have DHCP Snooping and I am doing some research on turning that on for our respective VLAN’s.  I’m assuming this is generally the best practice as it limits DHCPREQUEST packets to be inspected and only come and go from one MAC address correct?

 

-Aaron

 

From: The EDUCAUSE Network Management Constituent Group Listserv [mailto:NETMAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Fred Kass
Sent: Tuesday, January 17, 2012 12:50 PM
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] Hunting down rogue DHCP servers as well as allowing them.

 

Hi Aaron,

 

I use DHCP Snooping on Cisco switches (I know HP Procurve and Juniper have the same ability):

 

(That is the 6500 doc but they have a doc for most modern models of Cisco switches)

 

This blocks all DHCP servers from unauthorized ports and also can log them to a syslog server.  Then I have a script which alerts me to the attempts and if they go on for awhile I email the students in the room (and suggest if they don't fix it we will shut off the port).

 

We currently allow NAT WAPs in our dorms but strongly discourage their use.  Our dorm wireless coverage is pretty good so I think I only have about 5 of them (They need to register them with us for them to work due to the way our NAC works).

-Fred

P.S. If you are running Cisco I also highly recommend using bpduguard for taking out looped ports as well.

 

Message from dyoung@mesd.k12.or.us

Message from ahockett@warnerpacific.edu

Hey Dan,

 

Thanks for the follow up.

 

It actually wasn’t as hard as I originally thought.  I actually setup the DHCP snooping in the WebUI. 

 

For those curious:

Configure-> Security -> Port Security.

 

Down below, notice the interface list.  Find the interface your DHCP server is on.  Edit that port.

 

Choose Trust DHCP.

MAC Limit: 1 (unless it is served by multiple NICS)

MAC Limit Action: log

Allowed MAC addresses: put in your DC’s MAC address.

 

Then go up to VLAN list above and choose your default employee VLAN.

Simply put a check in the box for “Enable DHCP snooping on VLAN” and click OK and commit.

 

I probably would’ve done it in the CLI but I’ve been bouncing around so many screens today this was just easier to setup.  At the end of the day, this forces DHCPREQUEST checks on Port X on my EX4200 from MAC Address XX:XX:XX:XX:XX:XX and logs anything that tries to do otherwise.

 

Also—in terms of spoofing, I’m guessing that unless the DHCPREQUEST packet is coming from Port X, MAC Address XX…. Then it simply logs and drops it correct?

 

-Aaron

 

 

From: The EDUCAUSE Network Management Constituent Group Listserv [mailto:NETMAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dan Young
Sent: Tuesday, January 17, 2012 2:24 PM
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] Hunting down rogue DHCP servers as well as allowing them.

 

I think this is different from vendor to vendor, but I believe it should log the action, drop the packet, and possibly shut the port down. I'm using Cisco and Brocade switches, and monitor the DHCP-Snooping through syslog messages sent to our Zenoss NMS. If a rouge is detected Zenoss will send me an alert.

Something I ran into that you might be wary of is DHCP option 82. When I first turned on DHCP some clients weren't getting addresses because the switches were trying to insert option 82 (location information) into the DHCP packets. Again, each vendor will be different, just an FYI.

Heath

On 1/17/2012 4:37 PM, Aaron Hockett wrote:

Hey Dan,

 

Thanks for the follow up.

 

It actually wasn’t as hard as I originally thought.  I actually setup the DHCP snooping in the WebUI. 

 

For those curious:

Configure-> Security -> Port Security.

 

Down below, notice the interface list.  Find the interface your DHCP server is on.  Edit that port.

 

Choose Trust DHCP.

MAC Limit: 1 (unless it is served by multiple NICS)

MAC Limit Action: log

Allowed MAC addresses: put in your DC’s MAC address.

 

Then go up to VLAN list above and choose your default employee VLAN.

Simply put a check in the box for “Enable DHCP snooping on VLAN” and click OK and commit.

 

I probably would’ve done it in the CLI but I’ve been bouncing around so many screens today this was just easier to setup.  At the end of the day, this forces DHCPREQUEST checks on Port X on my EX4200 from MAC Address XX:XX:XX:XX:XX:XX and logs anything that tries to do otherwise.

 

Also—in terms of spoofing, I’m guessing that unless the DHCPREQUEST packet is coming from Port X, MAC Address XX…. Then it simply logs and drops it correct?

 

-Aaron

 

 

From: The EDUCAUSE Network Management Constituent Group Listserv [mailto:NETMAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dan Young
Sent: Tuesday, January 17, 2012 2:24 PM
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] Hunting down rogue DHCP servers as well as allowing them.

 

Message from dyoung@mesd.k12.or.us

We use Cisco DHCP snooping to prevent rogue DHCP servers.

Cisco's NAC solution disallows NAT'd wireless router. We do this in the dorms so we can see every single mac-address on the network and account for the owner.

On 1/17/2012 3:40 PM, Aaron Hockett wrote:

All ~

 

Upon coming back from a nice break from work, we ended up having issues with a Rogue DHCP server spewing out 192.168.x.x addresses on our student VLAN.  The way our network is setup right now is that we are allowing any and all traffic over our employee VLAN and our student VLAN.  Yes we have plans to clamp this down to truly segment the traffic but this led me to ask the question to the listserv on how do people deal with the rogue DHCP servers?  Also, do you have a plan in place that allows students to have a WAP on the student VLAN without any disruption to the other students’ network access?

 

So the tl;dr :

-          How do you address/find/monitor for rogue DHCP servers?

-          How do you deal with them once found? (Like best troubleshooting steps once the MAC address is found)

-          How do you allow or disallow NAT’ed WAP’s interference with normal network operations?

 

Thanks.

 

-Aaron

 

 

mysteries made known


Aaron Hockett
Network Systems and Securities Manager 

Warner Pacific College
2219 SE 68th Ave.
Portland, OR 97215
 

ahockett@warnerpacific.edu
www.warnerpacific.edu 

tel:
fax:

503-517-1203

503-517-1352


 

This message is intended for the sole use of the individual to whom it is addressed. It may contain information that is privileged, confidential or exempt from disclosure under applicable laws. If you are not the intended addressee you are hereby notified that you may not use, copy, disclose, or distribute to anyone this message or any information contained within this message. If you have received this message in error, please immediately advise the sender by replying to this email and delete this message.

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.


-- Vlade Ristevski Network Manager IT Services Ramapo College (201)-684-6854 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Message from jhealy@logn.net

On Jan 18, 2012, at 4:05 PM, Dan Young wrote: >
Message from peter.charbonneau@williams.edu

We use PacketFence as our NAC solution; we transitioned to PF from Cisco's VMPS.

PacketFence alerts us to rogue DHCP servers, and can turn the appropriate port off; we have purposely chosen not to implement that functionality for political reasons.

We might see up to 3/4 reported rogues during the school year that we investigate.  I see many more over the summer with conference and Theater Festival people here, but PF is a good reporter.

PeteC

 
Here's a Cisco article on "Layer 2 Attacks & Mitigation Techniques" which covers handling rogue DHCP servers, among other things.  Plenty of configuration examples and good descriptions of different kinds of attacks.
http://www.sanog.org/resources/sanog7/yusuf-L2-attack-mitigation.pdf

Ted Fines
Macalester College

Close
Close


EDUCAUSE Connect
View dates and locations

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

EDUCAUSE Institute
Leadership/Management Programs
Explore More

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.