Can DHCP reservations improve network security?
Takeaway: A TechRepublic member recently posed the question of whether assigning DHCP reservations based on MAC addresses could improve network security. The answer was "yes." See why and what the qualifications are.
Problem
In the Technical Q&A, ztech123 posted, "I am curious, are there any security benefits to establishing DHCP reservations for clients on my network – I have about 30 – so that each machine would always get assigned the same IP based on MAC address. I've done it for the printers, and I'm considering it for the client machines, but I was unsure if it's a good move or not. I am trying to enhance security."
Solution
TechRepublic member voldar responded: "The only benefit is the following: if you use reservations for all your computers, and your IP's subnet range for lease by your DHCP is restricted to those 30 IP addresses, then no new computer will be able to connect to your network unless you give to it the rights to do that."
Another TechRepublic member, ewgny, added, "One security benefit that I can think of is that you may want to keep a grouping of workstations with contiguous IP addresses for firewall rules; for example, no outbound port 80 for 10.1.1.20 – 10.1.1.25. You could also prevent the DHCP server from giving out IP addresses by keeping your reservations in an exclusion zone and configuring DHCP not to distribute IP addresses past the exclusion zone. An unauthorized person trying to connect to your network would have to know the private IP range/subnet you are using to get onto your network. Although this alone doesn't give your network a high level of security, it makes it more difficult for hackers."
There are also two TechRepublic articles that help to answer this question and show how to best use DHCP reservations:
- "Use DHCP Class to deny Internet access to unauthorized machines"
- "Manage static IP addresses in DHCP by using Reservations"
Note
The text of discussion posts from TechRepublic members has been slightly edited for spelling, punctuation, and clarity.
Print/View all Posts Comments on this article
 Dynamic vs static IPzczc2311@... | 01/13/05 |
  Dynamic host configurationllauren | 01/14/05 |
 Static DHCP + VMPS + Common Sensedemianh | 01/14/05 |
| Dynamic is more secure in some senseleo_bronstein@... | 01/14/05 |
| To be Static or not to be that is the quethemacdad | 02/14/05 |
SponsoredWhite Papers, Webcasts, and Downloads
- Microsoft SQL Server 2005: Deployment and Tests in an iSCSI SAN Dell EqualLogic
- TechRepublic SolutionBase: Expanding storage options with Windows Storage Server TechRepublic
- 10 Deadly Sins of Software Estimation Construx Software Builders
- Next Generation Mobility Now Sprint
- Live Webcast: Exchange Archiving: Avoid Journaling & Stubbing Traps and Stop the Domino Effect Mimosa Systems
Article Categories
- Security
- Security Solutions, IT Locksmith
- Networking and Communications
- E-mail Administration NetNote, Cisco Routers and Switches
- CIO and IT Management
- Project Management, CIO Issues, Strategies that Scale
- Desktops, Laptops & OS
- Windows 2000 Professional, Microsoft Word, Microsoft Excel, Microsoft Access, Windows XP,
- Data Management
- Oracle, SQL Server
- Servers
- Windows NT, Linux NetNote, Windows Server 2003
- Career Development
- Geek Trivia
- Software/Web Development
- Web Development Zone, Visual Basic, .NET
