A DHCP server provides lease to DHCP clients through a proper authorization. This process will prevent unauthorized DHCP servers from delivering invalid IP addresses or conflicting configurations to clients from unauthorized DHCP servers. If you are looking for a more proactive way to prevent unauthorized DHCP server problems, DHCP guarding would be one of the best solutions.
DHCP Guarding acts as a second line of defense against malicious or unauthorized DHCP servers, as it configures Unifi switches to restrict DHCP servers. It also prevents malware or any DHCP attacks.
Table of Contents
What is DHCP guarding Unifi?
Ubiquity product DHCP guarding feature ensures that only trusted DHCP servers can deliver DHCP leases to devices on a specific network. It configures Unifi switches to detect and block unauthorized DHCP servers.
Should I enable DHCP guarding?
It is recommended to turn on the DCHP guarding to ensure that no unauthorized DHCP servers will be able to offer DHCP leases to devices on your network. This feature will prevent malicious attacks on your network or accidental joining to other clients’ networks. This will ensure a more secure network, and free your system from malware or any DHCP attacks.
How do I enable DHCP Guard?
Enabling your DCHP Guard is easy. Here are a few steps on how to configure your networks with DHCP Guarding:
Step 1: Go to the Unifi controller
In your Unifi controller, click the settings (gear icon) located in the lower right of the controller screen.
Step 2: Go to Networks
Unifi controllers have Default Corporate network (LAN) installed. However, users can customize it to different VLANs and Guest VLANs. While configuring each type of network, you can also enable DHCP Guarding to ensure that only trusted DHCP servers will be able to offer DHCP leases to devices on the network.
Step 3: Enable DCHP Guarding
Under the network you are setting up, scroll down and locate the DHCP Guarding section. Switch on the toggle switch to enable the DCHP Guarding.
Step 4: Click Save
Hit the save button to activate the changes/setup that you made.
How do I enable DHCP snooping?
Another feature of Ubiquity products, along with DHCP Guarding, is DHCP Snooping. The same with DHCP Guarding, DHCP Snooping provides the second line of defense against DCHP attacks, prevent unauthorized DHCP servers from accessing your network, and incidence of DHCP spoofing attacks. This feature can help in the performance of devices on a network receiving multicast traffic. Moreover, it works as a protection from man-in-the-middle attacks by safeguarding from untrusted hosts that want to become DHCP servers.
Step 1: Go to the Unifi controller
In your Unifi controller Gui, click the settings or the gear icon.
Step 2: Go to Networks
Edit the network that you have created, either Guest VLAN, Corporate, or VLAN only. While configuring each type of network, you can enable IGMP Snooping.
Step 3: Enable IGMP Snooping
Under the network you are editing up, scroll down and locate the IGMP Snooping section. Switch on the toggle switch to enable the IGMP Snooping.
Step 4: Save
Hit the save button to activate the changes/setup that you made.
How does DHCP snooping protect against rogue DHCP servers?
There have been ongoing problems with Malware threats around the world. This malware can turn a machine into a DHCP server. As the client connects to the network, the rogue server will offer them IP addresses, default gateway, and DNS servers, the same as legitimate DHCP. It could start assigning null IP addresses, disrupt network connections, or prevents client devices from accessing network services. To prevent such problems, enabling DCHP Guarding, and Snooping would help resolve the problem.
Dynamic Host Configuration Protocol (DCHP) Snooping is a 2-layer security technology integrated into your Ubiquity OS restricting Rogue DHCP servers that offer IP addresses to DHCP clients in your network. DHCP Snooping validates DHCP messages from untrusted sources and filters out unacceptable or invalid messages. Users can configure DHCP Snooping on UniFi LAN switches so that Rogue DHCP servers will be filtered out and drop off any malicious DHCP traffic.
In addition, the DHCP snooping can track the physical location of an IP address combined with AAA accounting or Simple Network Management Protocol (SNMP). It can also prevent DHCP Spoofing attacks that intercept traffic from users before forwarding to the true gateway and DHCP Starvation Attack that causes depletion of the DHCP pool.
What happens to DHCP server traffic after you enable DHCP snooping?
It is highly recommended to enable DHCP snooping on your networks. Once DHCP snooping is configured on LAN switches, it will restrict rogue DHCP servers and remove malicious DHCP traffic. The DHCP snooping service detects violations as it drops the packet and logs the “DHCP_SNOOPING” message. These DHCP snooping observations are logged in a database containing the MAC address, IP address designated by the DHCP, remaining lease time, VLAN, and switch port.
You can store DHCP snooping logs either on a device flash or in a remote location like the Trivial File Transfer Protocol (TFTP) server, which is more recommended to ensure the safety of the files in case of a disastrous switch failure.
