Thursday, July 26, 2018

Security of DHCP relay - where do you draw the line on isolated vlans?

This came up in a meeting today. Getting ready for a forklift network upgrade across a dozen small sites. All have private WAN links back to a central datacenter. Onsite old IOS routers are being replaced by Sophos UTMs, on which I despise the DHCP management. So I've been replicating the utterly ridiculous list of pools on each router in the DHCP cluster and cutting the interfaces over to DHCP relay. DAI, dhcp snooping, and 802.1x are all going live when the switches arrive.

Now I'm getting some blowback on the phone and printer networks pulling DHCP from the servers being a "security risk". The concern is more what the auditors will say than anything, but I'm curious what you guys think. Does relaying DHCP traffic from a device to a server present a security risk to the server? Do you deploy independent DHCP solutions for each vlan you're supposed to isolate? Personally, I believe centralizing DHCP represents a security boon. IPAM beats the crusty spreadsheets any day.

In this specific case, all vlans hit the same firewall, travel the same tunnel, and use the same remote firewall to hit the outside or interior networks as needed.

I know Cisco has CVE-2017-12240 relay vulnerabilities, but A) that's the relay, not the server, and B) we're not going to be using a Cisco implementation.



No comments:

Post a Comment