WEBVTT

0:00:03.200000 --> 0:00:08.620000
 Welcome to this video on securing
 network access with DHCP snooping.

0:00:08.620000 --> 0:00:12.900000
 So I'm going to be doing a refresher
 in our CC&E bootcamp here on what

0:00:12.900000 --> 0:00:18.140000
 DHCP snooping is, what problems it solves,
 and how you configure and monitor

0:00:18.140000 --> 0:00:23.120000
 it. All right. So what problem
 is solved with DHCP snooping?

0:00:23.120000 --> 0:00:24.560000
 Well, here's the main gist of it.

0:00:24.560000 --> 0:00:30.820000
 We know from our previous reviews of
 DHCP that out of the four packets

0:00:30.820000 --> 0:00:35.920000
 involved in a DHCP transaction, two
 of them are broadcast in nature.

0:00:35.920000 --> 0:00:39.800000
 Basically, the packets that the client
 sends, the DHCP discover and the

0:00:39.800000 --> 0:00:43.520000
 DHCP request are both
 broadcast packets.

0:00:43.520000 --> 0:00:48.440000
 That being said, we know that the normal
 behavior of a switch is to flood

0:00:48.440000 --> 0:00:52.720000
 broadcast. So that means anybody else
 in the same VLAN as you, if they

0:00:52.720000 --> 0:00:57.580000
 have wire shark going or something,
 they can see your DHCP discover.

0:00:57.580000 --> 0:01:01.000000
 And more importantly, they
 can see your DHCP request.

0:01:01.000000 --> 0:01:05.440000
 And your DHCP request now has vital
 information about you in it, like

0:01:05.440000 --> 0:01:09.840000
 your IP address, your MAC address, how
 long your lease is good for, the

0:01:09.840000 --> 0:01:12.420000
 IP address of the DHCP server.

0:01:12.420000 --> 0:01:16.620000
 And people could use that against
 you in a network attack.

0:01:16.620000 --> 0:01:20.240000
 Another problem with DHCP is that we
 also know the default behavior of

0:01:20.240000 --> 0:01:23.480000
 pretty much every operating system
 out there, is that if an operating

0:01:23.480000 --> 0:01:29.280000
 system receives more than one DHCP
 offer, it'll take the first one.

0:01:29.280000 --> 0:01:31.780000
 Whatever the first one is, it'll latch
 onto that and say, okay, I'm going

0:01:31.780000 --> 0:01:35.300000
 to use you. I'm just going
 to ignore the other ones.

0:01:35.300000 --> 0:01:40.620000
 Well, what if there is a rogue or malicious
 DHCP server that is closer

0:01:40.620000 --> 0:01:46.060000
 in physical proximity to you than
 the legitimate DHCP server?

0:01:46.060000 --> 0:01:51.020000
 Well, that rogue server, if it has access
 to seeing your DHCP discover,

0:01:51.020000 --> 0:01:56.500000
 and if it can send you a DHCP offer, his
 offer will get to you first before

0:01:56.500000 --> 0:01:58.420000
 the legitimate offer.

0:01:58.420000 --> 0:02:02.020000
 And now he can give you all kinds of wrong
 information from a wrong address

0:02:02.020000 --> 0:02:06.800000
 to a wrong default gateway, a wrong
 DNS server, it could poison you and

0:02:06.800000 --> 0:02:10.160000
 do an attack in any
 number of ways.

0:02:10.160000 --> 0:02:14.880000
 So DHCP snooping was designed to solve
 those types of problems and more.

0:02:14.880000 --> 0:02:19.100000
 All the types of attacks you can think
 of that might be DHCP related,

0:02:19.100000 --> 0:02:21.520000
 DHCP snooping was designed
 to solve that.

0:02:21.520000 --> 0:02:24.620000
 Now it does it in a very easy way.


0:02:24.620000 --> 0:02:29.440000
 So when you enable DHCP snooping, you
 enable it for a particular VLAN.

0:02:29.440000 --> 0:02:32.280000
 So there's one command that says,
 I just want to enable it, period.

0:02:32.280000 --> 0:02:33.740000
 I want to get it started.

0:02:33.740000 --> 0:02:37.080000
 Then there's another command that says,
 and I want to enable it for VLAN

0:02:37.080000 --> 0:02:39.900000
 2 or VLAN 7, or whatever you want.


0:02:39.900000 --> 0:02:45.160000
 Now the moment you enable it on a VLAN,
 all the ports in that VLAN become

0:02:45.160000 --> 0:02:47.140000
 untrusted interfaces.

0:02:47.140000 --> 0:02:50.700000
 Now they're untrusted from the
 perspective of DHCP only.

0:02:50.700000 --> 0:02:53.820000
 DHCP snooping doesn't look at
 any other kind of traffic.

0:02:53.820000 --> 0:02:56.100000
 It only pays attention
 to DHCP traffic.

0:02:56.100000 --> 0:02:59.000000
 Now why do we care if these
 ports are untrusted?

0:02:59.000000 --> 0:03:06.020000
 Because DHCP snooping involves
 some security restrictions.

0:03:06.020000 --> 0:03:09.740000
 For example, if you're familiar with
 firewalls, you know that firewalls

0:03:09.740000 --> 0:03:13.840000
 a lot of times the way firewalls work
 is that you have an outside interface,

0:03:13.840000 --> 0:03:18.100000
 which is going to an untrusted network
 like the internet, and you have

0:03:18.100000 --> 0:03:22.460000
 an inside interface going to a trusted
 network like your interior corporate

0:03:22.460000 --> 0:03:25.920000
 network. And firewalls just have
 implicit rules in place.

0:03:25.920000 --> 0:03:27.220000
 You don't have to configure them.

0:03:27.220000 --> 0:03:30.120000
 They just come standard with these
 rules that says, look, if a packet

0:03:30.120000 --> 0:03:36.460000
 comes in, my trusted inside interface,
 I will allow it to go out the untrusted

0:03:36.460000 --> 0:03:38.020000
 outside interface.

0:03:38.020000 --> 0:03:40.320000
 And I will allow a response
 to come back.

0:03:40.320000 --> 0:03:42.300000
 I'll keep a track of
 that conversation.

0:03:42.300000 --> 0:03:45.060000
 So when a response comes back,
 yep, I'll let that through.

0:03:45.060000 --> 0:03:49.260000
 But if somebody tries to initiate traffic
 on the outside, they're on the

0:03:49.260000 --> 0:03:52.540000
 internet, they're trying to initiate
 an inbound connection, that's not

0:03:52.540000 --> 0:03:53.100000
 going to be allowed.

0:03:53.100000 --> 0:03:54.300000
 He'll kill that.

0:03:54.300000 --> 0:03:57.120000
 Well, DHCP snooping is the same type
 of thing when it comes to trusted

0:03:57.120000 --> 0:03:59.380000
 and untrusted interfaces.

0:03:59.380000 --> 0:04:07.500000
 An untrusted interface will not allow
 a DHCP server message to come in.

0:04:07.500000 --> 0:04:13.600000
 So if a DHCP offer or a DHCP ACK or one
 or two of the other types of DHCP

0:04:13.600000 --> 0:04:19.880000
 server messages, if any of those are seen
 inbound on an untrusted interface,

0:04:19.880000 --> 0:04:21.860000
 it's dropped. It's dropped.

0:04:21.860000 --> 0:04:28.180000
 So that prevents your rogue or malicious
 DHCP server from having any effect.

0:04:28.180000 --> 0:04:31.940000
 Because your rogue malicious DHCP server,
 when it connects to a switch

0:04:31.940000 --> 0:04:36.220000
 port, that port will be untrusted
 from DHCP snooping.

0:04:36.220000 --> 0:04:39.020000
 And then what you're going to want
 to do via a command is you're going

0:04:39.020000 --> 0:04:42.600000
 to want to go to the interface that
 leads to your legitimate known DHCP

0:04:42.600000 --> 0:04:45.900000
 server and configure that
 as a trusted interface.

0:04:45.900000 --> 0:04:49.260000
 That's one way the DHCP untrusted
 ports protect you.

0:04:49.260000 --> 0:04:52.900000
 They prevent rogue unauthorized servers
 from even sending anything into

0:04:52.900000 --> 0:04:53.900000
 the switch at all.

0:04:53.900000 --> 0:04:54.940000
 It just gets dropped.

0:04:54.940000 --> 0:05:03.480000
 The second way. Messages that come in
 an untrusted port like client messages

0:05:03.480000 --> 0:05:08.620000
 like your DHCP discover, your DHCP request,
 which are normally broadcast

0:05:08.620000 --> 0:05:15.440000
 in nature, those are only allowed to be
 transmitted out a trusted interface.

0:05:15.440000 --> 0:05:19.000000
 They're not allowed to be translated
 out or I should say transmitted out

0:05:19.000000 --> 0:05:20.780000
 an untrusted interface.

0:05:20.780000 --> 0:05:24.580000
 So for example, this guy right here,
 when he sends his client message

0:05:24.580000 --> 0:05:30.120000
 like his discover or his request, well,
 normally if we did not have DHCP

0:05:30.120000 --> 0:05:34.000000
 snooping going on, that would
 be flooded here and here.

0:05:34.000000 --> 0:05:37.720000
 But with DHCP snooping, it says, nope,
 I'm not going to allow it to go

0:05:37.720000 --> 0:05:41.840000
 out this untrusted interface, but I
 will allow it to go out this trusted

0:05:41.840000 --> 0:05:48.020000
 port. So once again, this guy with
 the malicious DHCP server program,

0:05:48.020000 --> 0:05:50.220000
 he's never even going
 to see your discover.

0:05:50.220000 --> 0:05:54.780000
 He's never even going to see your request
 because untrusted to untrusted,

0:05:54.780000 --> 0:06:02.640000
 not allowed. And then a third and final
 way, and there's more to it than

0:06:02.640000 --> 0:06:08.120000
 this, that DHCP snooping protects you,
 is that as this transaction happens

0:06:08.120000 --> 0:06:14.000000
 from the client to the legitimate DHCP
 server and back, you know, as the

0:06:14.000000 --> 0:06:18.220000
 discover or the offer or the request,
 the acknowledgement goes by, this

0:06:18.220000 --> 0:06:23.640000
 search, the switch here, spoofs that
 he snoops it, he snoops it, he's

0:06:23.640000 --> 0:06:31.120000
 watching it, and as he's watching it, he's
 populating a DHCP binding database.

0:06:31.120000 --> 0:06:35.220000
 So he actually learns the switch, actually
 learns your MAC address, the

0:06:35.220000 --> 0:06:38.600000
 port you're on, the VLAN you're on,
 but above and beyond that, because

0:06:38.600000 --> 0:06:41.780000
 that's just normal switching right there,
 above and beyond that, he learns

0:06:41.780000 --> 0:06:45.440000
 what IP address you got, what subnet
 mask you got, and what your lease

0:06:45.440000 --> 0:06:48.580000
 time is, how long that
 IP address is good for.

0:06:48.580000 --> 0:06:54.600000
 Now the benefit to that is that now,
 if this guy comes along, see, here's

0:06:54.600000 --> 0:06:56.460000
 another form of a network attack.

0:06:56.460000 --> 0:07:01.180000
 Let's say that guy knew that you were
 1.1.1.1 and that your MAC address

0:07:01.180000 --> 0:07:03.920000
 was this thing right here.

0:07:03.920000 --> 0:07:08.500000
 Well, without DHCP snooping, another
 kind of attack this guy could do

0:07:08.500000 --> 0:07:12.660000
 is he could just change his own IP address
 to that exact same thing, change

0:07:12.660000 --> 0:07:17.300000
 his own MAC address to that exact same
 thing, I'm not going to do the

0:07:17.300000 --> 0:07:22.660000
 whole thing, but you get the idea, and
 then he could send a DHCP release

0:07:22.660000 --> 0:07:28.300000
 message to the server, basically telling
 the server, hey, I don't need

0:07:28.300000 --> 0:07:31.800000
 this IP address anymore, you can put
 it back in your pool, you can give

0:07:31.800000 --> 0:07:33.200000
 it to somebody else.

0:07:33.200000 --> 0:07:38.260000
 Well, in reality, this guy here, PCA
 is still using that IP address, he

0:07:38.260000 --> 0:07:42.000000
 hasn't released it, and now that DHCP
 server allocates that IP address

0:07:42.000000 --> 0:07:47.500000
 to somebody else, now we have a duplicate
 address problem, which is going

0:07:47.500000 --> 0:07:49.660000
 to cause all sorts of problems.

0:07:49.660000 --> 0:07:54.620000
 But once again, this guy with DHCP
 snooping, he can't do that, because

0:07:54.620000 --> 0:07:58.100000
 if he tries to change his IP address
 and MAC address to that same thing,

0:07:58.100000 --> 0:08:07.760000
 I'm just going to switch, he'll say,
 hold on a second, when I was snooping

0:08:07.760000 --> 0:08:13.040000
 you, the last time I saw you, you lived
 on port 0 slash 1, but now you're

0:08:13.040000 --> 0:08:17.600000
 telling me you're coming in port 0 slash
 2, I don't think so, and it will

0:08:17.600000 --> 0:08:19.900000
 drop that message.

0:08:19.900000 --> 0:08:27.600000
 So that's another way DHCP snooping
 can protect you against attacks.

0:08:27.600000 --> 0:08:31.960000
 So client messages are only allowed
 from untrusted to trusted, so those

0:08:31.960000 --> 0:08:35.880000
 are your discovers, your requests and
 forms and declines, and your release

0:08:35.880000 --> 0:08:42.100000
 messages. And DHCP server messages,
 like your offers and your acts and

0:08:42.100000 --> 0:08:49.920000
 your NACs, are only allowed to be
 received untrusted interfaces.

0:08:49.920000 --> 0:08:54.340000
 So, and I would definitely recommend
 that you know what each of those

0:08:54.340000 --> 0:08:57.520000
 messages are. A lot of people are very
 familiar with the discover, the

0:08:57.520000 --> 0:09:01.240000
 offer, the request, and the acknowledgement,
 but you can see there's some

0:09:01.240000 --> 0:09:03.640000
 other DHCP messages here as well.

0:09:03.640000 --> 0:09:09.960000
 Make sure you you skill up on what a
 DHCP inform is, what's the difference

0:09:09.960000 --> 0:09:14.440000
 between a DHCP decline and a
 DHCP NAC and who sends them.

0:09:14.440000 --> 0:09:18.120000
 Those are also very important things
 to know in the world of DHCP.

0:09:18.120000 --> 0:09:22.820000
 So that brings us to the end
 of this particular video.

0:09:22.820000 --> 0:09:23.660000
 Thank you for watching.