Security Solutions
3-54
Designing Access Controls
Choose the Endpoint Integrity Deployment Method
The DHCP deployment is less secure because sophisticated users can circum-
vent the endpoint integrity checking. If users configure their endpoint with a
valid static IP address (rather than relying on the DHCP server to provide an
address), their endpoint will not be quarantined even if it fails endpoint
integrity tests.
If your switch supports DHCP snooping and Address Resolution Protocol
(ARP) protection, however, you can block traffic from users who configure
their endpoint with a static IP address. For example, the ProCurve Switches
3500yl, 5400zl, and 6200yl support both features. If you enable DHCP snoop-
ing, these switches protect your network against DHCP attacks by creating a
DHCP snooping table, which tracks:
■ MAC address
■ IP address
■ Lease time
■ Binding type
■ VLAN number
■ Interface information that corresponds to each DHCP lease through an
untrusted port
The switches can then use this table to protect your network against attacks
such as ARP poisoning and ARP snooping. When you enable ARP protection,
the switches verify the IP-to-MAC address binding on traffic received on
untrusted ports. The switches check a packet’s IP and MAC address informa-
tion against the information stored in their DHCP snooping table. If a user has
assigned his or her endpoint a static IP address, the switch will not be able to
verify the IP-to-MAC address binding in the table and will drop the user’s
traffic.
Table 3-36 compares the security levels of the deployment methods.