Static addressing is NOT a security measure
By stretch | Monday, November 24, 2008 at 5:53 a.m. UTC
Every so often I'll find myself discussing some aspect of network address architecture and the matter of static versus dynamic addressing will surface. Each approach has benefits and drawbacks. However, I wanted to debunk a myth that has always irked me: static addressing is not a security measure.
Some people argue that DHCP exposes a vulnerability because it allows an attacker who connects to your network to automatically receive a valid address. This is akin to asserting that rolling up the windows of your car will protect it from being stolen. Anyone with layer two connectivity to your network is free to send packets from whatever address he choses, valid or not. (Whether those packets actually make it anywhere depends on the access controls applied to the infrastructure itself.) Additionally, any intruder with half a clue will have no problem finding a valid source IP address on a statically-assigned network if that's what he needs.
Most of the audience is already well aware of these facts, and understands that static addressing offers no advantage over DHCP in terms of securing a network. However, I'd like to reverse the argument and offer that DHCP can actually offer better security than static addressing, through the use of IP source guard and Dynamic ARP Inspection (DAI) on Cisco switches. Traffic can be restricted on layer two ports so that only packets with a valid IP source address (assigned via DHCP) are allowed onto the network.
I'm curious whether any readers have faced a similar argument in their work, on either side, or if anyone can provide an opposing viewpoint. Comments?
About the Author
Jeremy Stretch is a network engineer living in the Raleigh-Durham, North Carolina area. He is known for his blog and cheat sheets here at Packet Life. You can reach him by email or follow him on Twitter.
Posted in Opinion
November 24, 2008 at 6:35 a.m. UTC
I worked in France, mostly for Aeronautics clients, and I have seen both attitudes. The idea that static IP is more secured than dynamic assignation is still well spread. I guess the best way to change minds is to demonstrate.
Some clients though, have DHCP servers running but, at least where I have been working, DHCP Snooping, IP Source Guard and DAI are merely never implemented. I guess the reason why is that it is very rare that all switches, especially the one closest to the users, support these features.
The bad thing with Cisco gear is that those features only appear on 3XXX series, if you have 2960 for users’ connectivity, you're done.
It is too bad; ARP spoofing/cache poisoning is so simple to do.
Do you guys have ever set these features in a production environment?
November 24, 2008 at 7:31 a.m. UTC
I've never heard the static vs. dynamic IP security argument before. I've been in the industry 10 years. I thought I had seen and heard everything!
Silly argument though.
Just for the record, the 2960 does support DHCP snooping. DAI and IP Source Guard are only on the 3560+
November 24, 2008 at 8:45 a.m. UTC
This would be the same people that believe that NAT is a security feature. In fact, NAT hides the identity of the source thus making it easier to break into sessions.
November 24, 2008 at 10:55 a.m. UTC
It doesn't really matter whether you use static routes or DHCP, the security threat is the same?
In our environment we configure the following security at layer 2:
- Vlan 1 restriction
- DHCP Snooping
- Dynamic Arp Inspection
- MAC Security
- BPDU filtering
If we have voice vlans then security ACLs are also implemented at the core to keep data and voice separate. If we do not have IP Phones at layer 2, we also disable CDP and DTP as they are also a potential security risk.
Personally, I think it is good practice to implement the above where ever possible. You never know?
November 24, 2008 at 11:06 a.m. UTC
I remember very heated debates on static vs. dynamic and I'm glad we changed to DHCP. No negative security implications so far. Option82 is also worth mentioning in hat context =)
November 24, 2008 at 3:35 p.m. UTC
And in a big organization, managing static ip address is almost impossible ( at least in the lan ). But when used in a server dmz i usualy prefer to use static addressing.
November 25, 2008 at 3:13 p.m. UTC
I have to agree with you, DHCP would be more of a security measure then assigning a static IP would be. The only reason I can see static IP assignment being a security measure is you have a better idea of where your endpoints are on the network without having to perform a ping sweep. The management and upkeep of documentation, even in a small environment isn't worth it though. Most admins dislike updating documentation, so how many are really going to add and remove IPs from a spreadsheet on a regular basis?
November 26, 2008 at 5:52 a.m. UTC
My step-dad works at a university that manages all IP addresses and MAC addresses in Excel spreadsheets.
They also have a public /16 for around ~2000-3000 computers. rolls eyes
December 16, 2008 at 5:49 a.m. UTC
disclaimer - i'm not network admin.
how do you solve a problem of monitoring client computers when products like Websense, MS ISA, Solarwinds rely on IP rather than computer name...