DHCP Fingerprinting for Access Control Security

The VitalQIP product provides several methods to qualify the DHCP server configuration, resulting in various means to control whether a DHCP client can get an IP address lease, what scope that address is assigned from, and what options the client is sent with the DHCPOFFER and DHCPACK messages. These access control methods consist of MAC address pools, vendor and/or user class matching, and relay agent remote id / circuit id matching. Additionally, there is an Access Control feature that utilizes the Cache service to provide control using individual MAC addresses that have been provisioned via Self Registration or CLIs in VitalQIP. None of these methods are well suited for controlling mobile device access, however.

DHCP fingerprinting implements a method of access control utilizing the unique signature of which DHCP options are requested in the Parameter Request List (option 55) and the order in which they are listed, by a particular device type or operating system. This information, commonly referred to as the DHCP client fingerprint, is readily available to the DHCP server in the client’s DHCPDISCOVER message and can be used as a means to further decide whether to offer a lease and what address and options to offer. The DHCP fingerprint data can also be sent to the VitalQIP Update service for inclusion in the VitalQIP database, allowing for further analysis such as searches and reports.

Built with