The Dynamic Host Configuration Protocol (DHCP) is the Internet protocol used for automating the configuration of computers that use TCP/IP. DHCP can be used to automatically assign IP addresses, to deliver TCP/IP stack configuration parameters such as the subnet mask and default router, and to provide other configuration information such as the addresses for printer, time and news servers, etc..

Without DHCP, a system administrator must manually set all of this information on each system that is on the network, one system at a time. The convienience of DHCP, especially in a large or dynamic network, makes its use very popular with system administrators.

The use of DHCP, can however represent a risk to a network. First, DHCP might be used to provide network information to unauthorized devices in your network (e.g. an unapproved device installed by an employee, a device hidden in your network by an intruder, or by a connection to your network through a wireless access point). This concern can be addressed by utilizing a DHCP "white list". This is a list of the ethernet (or MAC) addresses of all the approved devices, this information is provided by the device when it makes a DHCP request. The DHCP server is configured to consult this list to compare against whenever it receives a DHCP configuration request from a new device. If the ethernet address is known, then the device gets its configuration data from the server, otherwise it is ignored. Maintaining an accurate list of approved MAC addresses for the white list could be an issue in a large network. For new devices, the system staging policy/procedure should include recording the MAC address and entering it into a database for use in generating the white list. For legacy networks interogating the switches and the use of network auditing tools can be utilized to determine what is already in the network. This security measure can be defeated by a sophisticated and determined insider, but if that is a concern in your network then you need far more sophisticated security measures than we are describing in this Basic Security Tips series.

The second concern about DHCP is the decision about which device in your network is to be the DHCP server. The DHCP server can be any device which has the DHCP server software installed on it. It is commonplace in small networks that the network router or firewall is configured to provide this service. This is a vulnerable configuration because it is possible to cause a denial of service (DOS) attack against your entire network by crashing the router/firewall. Such an attack would disable the router, leaving your systems not only not able to reach the Internet, but unable to reach each other as well.