DHCP vs. Static IP Addressing

  • How do DHCP and Static IP addressing compare, from a security standpoint? What are the risks/benefits associated with each?

    I know the preferred solution between the two will vary with network size and layout, but I'm just looking for a more general explanation of how they compare.

    Please answer from a security standpoint alone - disregarding topics such as network overhead and infrastructure costs, unless they directly and significantly affect the Confidentiality, Integrity, or Availability of the system.

  • DHCP offers do leak some information about a network. The options contained reveal certain details about network layout and infrastructure, which is what DHCP is designed to do. Static assignment offers none of this detail.

    The threat here is unauthorized connection to the network. That can be either a device plugging into a live network jack or a wireless client gaining access to a WLAN. Once the unauthorized connection has taken place the ability of the attacker to do anything once they have connected is where DHCP vs. Static comes into play.

    DHCP with MAC registration is the most robust DHCP model. It doesn't offer addresses to any MAC it hasn't been told about, so in theory unauthorized devices won't be offered information. The same holds true for static assignment, there is no server to ask for addressing.

    DHCP without MAC registration will allow unauthorized devices to consume an IP address.

    MAC registration requires all new devices of any type to be registered with the DHCP system which can significantly increase how long it takes for a new device to be functional. Not all network devices have their MAC posted where they can be easily read, so some edge-case devices may require some bench testing to figure out what MAC they're using. Plug-and-go won't work (by design!). Additionally, if existing devices have their network cards swapped out for some reason, technicians will have to remember to re-register the new MAC. Deregistration of old MACs is a critical step of this process, and often missed until a DHCP scope fills.

    There are a couple of attacks that make DHCP with MAC registration less useful. If an attacker can place a bridge between an authorized device and its network port (such as a laptop with two NICs) it can figure out that device's MAC address very simply. Any traffic monitored in this way will reveal the MAC address of the authorized device. Most network cards allow changing the MAC address, so all the attacker has to do is change the MAC on one of their NICs, unplug the authorized device, plug their re-numbered device in, and get access on a registered MAC.

    On wireless, once an attacker has successfully broken into a WLAN to the point where they can monitor the airwaves; gaining MAC information is similarly easy.

    The defense for this is Network Access Control. In order to talk to the network the attached device needs to be able to authenticate at a machine level. This defends against unauthorized devices attaching to a network as it prevents significant network conversation from happening. In the above scenario, the attacker's device would be denied access. Not all devices CAN use NAC, notably network-attached printers, so an attacker can focus on those devices, which means that network-disconnection events need to be monitored on those ports.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM

Tags used