Subscriber Discussion

DHCP Reserved Addressing And Network Security

lg
lachlan gordon
Apr 26, 2015

Hi all,

We're currently having our network reconfigured as we bring our analogue system into a digital model.

One question which i had refers to the network security. I manage a city surveillance project and as of such have many remote links. Some of which are spread across wireless networks (firetide) and remote fibre nodes.

Although i understand the benefit of having static ip addresses.... for security would it not be better to have a dhcp server setup and then have dhcp snooping set across network switches/devices?

My 'fear' if you call it that, is that someone could plug into one of the remote cameras, use a manufacturer scanning tool to pick the ip, set their pc to the ip range and then gain access to one side of my network.

There will be segregation with vlans however looking for something a little more secure.

Any suggestions/ideas to the above?

U
Undisclosed #1
Apr 26, 2015
IPVMU Certified

My 'fear' if you call it that, is that someone could plug into one of the remote cameras, use a manufacturer scanning tool to pick the ip, set their pc to the ip range and then gain access to one side of my network.

Hi Iachlan.

I'm confused because I'm not sure how DHCP helps you in this case. Regardless of whether it is a statically or dynamically assigned IP, it could still be sniffed just as easily, no?

lg
lachlan gordon
Apr 26, 2015

With dhcp you're locking the ip to a mac address. That means the second a replica ip tries to jump on with a conflicting mac address the alarms would ring?

(or in my head it works along those lines)

U
Undisclosed #1
Apr 26, 2015
IPVMU Certified

Sure, or you could just restrict access by MAC address, and no one other devices could get on. Though you don't need DHCP to do that.

However, if you are planning for a contingency where someone is using a sniffing tool, then you should assume they will spoof both the MAC and the IP to gain access.

Therefore, for that level of security, you should look into 802.1x, which is a port authentication protocol that can use digital certificates to grant or deny access.

(2)
SN
Steve Nauman
Apr 27, 2015

Just to add a bit more explicit of an agreement than the agree button, port-based network access control is quite literally exactly what you're looking for: preventing people who have plugged into a port on your network from being able to do anything on it.

RV
Radu Vadeanu
Apr 26, 2015

I think that DHCP + MAC address is the way to go on network side and tamper alarms on VMS side. All the free network ports looked or blocked by network admin .

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions