Getting DHCP to Different Segments

W

Will

We want to put our AD domain controllers behind a firewall on a dedicated
network segment. If we do this, however, now DHCP on the AD stops working
because DHCP clients need to be on the same segment as the server.

One question I have is does DHCP as Microsoft implements it require that
TCP/IP be activated on the ethernet card? It looks like the answer is yes,
and that's a shame since DHCP lives below IP it should not in theory require
it to be active? If we could deactivate IP on an ethernet segment, then we
could place a second port on the AD DHCP server onto the local segment that
has the clients and let DHCP do its thing without worrying about IP attacks
against the AD server.

Does anyone make a DHCP relay that does not require installation on the
firewall itself? I realize Microsoft has a DHCP relay, but all of the
install instructions I have seen place it on the ISA Server directly. I
would prefer to not have servers running on a firewall because they
represent just one more potential for hacking the firewall. My
preference would be to find a relay that would reside outside the firewall -
on the client network - that would then pass through requests to a
counterpart on the protected network that could then impersonate the clients
and make DHCP requests on their behalf to the true DHCP server. That lets
me configure a security rule on the firewall between the client and server
portions of the DHCP relay, and keeps software off the firewall itself.

If someone knows of a third party product that does this, or may some simply
UNIX-based software, that would work as well. A feature I would like to
see on this product is automatic notification by e-mail whenever a rogue mac
address either requests an IP address, or even attempts to use the network.
If we put the DHCP relay on a sniffer port of the network switch, it could
scan all of the arp activity on the segment and look for unauthorized mac
addresses.
 
I

Ian

Will said:
We want to put our AD domain controllers behind a firewall on a dedicated
network segment. If we do this, however, now DHCP on the AD stops working
because DHCP clients need to be on the same segment as the server.

One question I have is does DHCP as Microsoft implements it require that
TCP/IP be activated on the ethernet card? It looks like the answer is yes,
and that's a shame since DHCP lives below IP it should not in theory require
it to be active? If we could deactivate IP on an ethernet segment, then we
could place a second port on the AD DHCP server onto the local segment that
has the clients and let DHCP do its thing without worrying about IP attacks
against the AD server.

Does anyone make a DHCP relay that does not require installation on the
firewall itself? I realize Microsoft has a DHCP relay, but all of the
install instructions I have seen place it on the ISA Server directly. I
would prefer to not have servers running on a firewall because they
represent just one more potential for hacking the firewall. My
preference would be to find a relay that would reside outside the firewall -
on the client network - that would then pass through requests to a
counterpart on the protected network that could then impersonate the clients
and make DHCP requests on their behalf to the true DHCP server. That lets
me configure a security rule on the firewall between the client and server
portions of the DHCP relay, and keeps software off the firewall itself.

If someone knows of a third party product that does this, or may some simply
UNIX-based software, that would work as well. A feature I would like to
see on this product is automatic notification by e-mail whenever a rogue mac
address either requests an IP address, or even attempts to use the network.
If we put the DHCP relay on a sniffer port of the network switch, it could
scan all of the arp activity on the segment and look for unauthorized mac
addresses.
Click to expand...
DHCP Relay agent will let you specify what card to listen on? Is that
what you are trying to achieve?

This help:?
http://www.internetaccessmonitor.co...ents/Enabling_DHCP_Relay_for_DMZ_Segments.php
 
C

Chris Hills

Will said:
... DHCP clients need to be on the same segment as the server.
Click to expand...

This is not true. Most routers/l3 switches manufactured support dhcp
relay, which relays the dhcp request to a specific dhcp server. This way
you can provide dhcp service for any number of subnets using a single
dhcp server.
 
W

Will

There is no router switch that connects the two networks. As stated in the
original post, we have a client network and and an AD network, and the only
thing connecting these two networks is a firewall. My premise was that I
don't want to run DHCP Relay software on the firewall itself.
 
W

Will

The problem with running DHCP Relay Agent on the firewall directly is that
it just gives another potential path to hacking the firewall. It's
probably lower risk than running an application that listens on an IP port,
but I guess I would just prefer to find a different solution if it exists
and is cost-effective.

--
Will



Ian said:
DHCP Relay agent will let you specify what card to listen on? Is that
what you are trying to achieve?

This help:?
Click to expand...
http://www.internetaccessmonitor.co...ents/Enabling_DHCP_Relay_for_DMZ_Segments.php
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

DHCP vendor MSFT 5.0 alcatel ot5021e soleil 6
Windows DHCP and DDNS behavior 2
DHCP & RDNS 10
DNS and DHCP 1
DHCP issues 2
WAP and DHCP handoff 0
DHCP Server and rleay agent 2
Newbie Question about DHCP and DNS 1

Top