DHCP Security Leak

Carl Karsten carl at personnelware.com
Thu May 3 05:07:02 UTC 2007 

Stephen John Smoogen wrote:
> On 5/2/07, guru.bidari at sirvisetti.com <guru.bidari at sirvisetti.com> wrote:
>>>> Date: Tue, 1 May 2007 16:19:00 -0400 (EDT)
>>>> Subject: DHCP Security Leak
>>>> From: guru.bidari at sirvisetti.com
>>>> To: dhcp-users at isc.org
>>>>
>>>> Hi
>>>>
>>>> In our infrastructure we are using DHCP, with system-defined lease-period
>>>> (24 hours), the IP-address of the pc is refreshed.
>>>>
>>>> We are using one product called as auto print the way it works, we think
>>>> we have a security leak.
>>>>
>>>> After a user scheduled a job and he logged out before the job is finished
>>>> and ftp-ed, it is possible that another user gets that IP-address before
>>>> the output is processed.
>>>>
>>>> This is more of an issue when concurrent request is re-scheduled to run
>>>> at
>>>> an interval.
>>>>
>>>> So we think that it is a leak that another user on a different pc can get
>>>> the output of that request, because that pc has leased the IP-address
>>>> now.
>>>>
>>>> Please provide us the solution to overcome this security leak.
>>> Instead of ftp back to the original PC, ftp to the user's directory on
>>> a server. Set up the permissions so that only that user can read the
>>> files in the given directory.
>>>
>>> This is an application problem, not a DHCP problem.
>>>
>>> regards,
>>> -glenn
>> We are using the server to ftp it to the directory and permissions are set
>> properly for each indivisual users. The problem we think it is a leak that
>> another user on a different pc can get the output of that request, because
>> that pc has leased the IP-address.
>>
> 
> The only solutions I could see to this is:
> 
> 1) Get a different Oracle product that uses SFTP versus FTP.
> 
> 2) Use a network switch topology that locks Mac-Address -> Port
> 
> 3) Use static Mac-Address-IP address in DHCP so that you do not give
> out IP addresses to wrong system
> 
> 4) Have a larger pool of DHCP addresses so that DHCP does not believe
> it needs to regive a lease out due to pool exhaustion.

This is assuming there is a problem that needs a solution.  I am not convinced 
there is a problem.  (other than there is too much "we think" going on :)

Carl K

More information about the dhcp-users mailing list