Because networks have come under an increasing number of malicious attacks that not only compromise the security of network resources, but also prevent access by legitimate users, enforcement mechanisms to limit access to the network, i.e., network access control (NAC) mechanisms, have become an increasingly important part of network security. NAC mechanisms include host-based approaches to enforcement that limit access to the network by an end point device, i.e., the host, using network configuration information stored in the host itself, as well as network-based approaches to enforcement that limit the host's network access using network configuration information stored in the network's connection points, such as the switches, hubs, and routers, collectively referred to as switches.
A commonly used host-based approach to enforcement is the Dynamic Host Control Protocol (DHCP) for enforcing end point access policies through Internet Protocol (IP) address configuration. Examples of NAC solutions that implement DHCP include a NAC platform product sold under the trademark “Sentriant AG” by Extreme Networks, Inc., of Santa Clara, Calif., the assignee of the present application, as well as Microsoft's Network Access Protection (“NAP”) framework.
Using DHCP, a DHCP server automatically assigns a DHCP client, i.e., the end point or host device, an IP address from an available pool of addresses, including various routing parameters such as a default gateway and subnet mask. The IP address and other parameters are leased to the end point device to allow access to the network for a predetermined period of time, after which the address assignment expires.
Unfortunately, the DHCP and other host-based approaches to enforcement have traditionally been very weak from a security perspective since enforcement is performed entirely on the host. In the case of DHCP, this allows an attacker to bypass the enforcement mechanism and gain full network access by simply configuring static networking settings on their machine rather than using the DHCP-provided settings, a practice that is sometimes referred to as IP spoofing.
For example, under normal circumstances, the DHCP server limits a non-compliant computer's access to the network by purposely not configuring a default gateway and/or setting the subnet mask to 255.255.255.255 so that there is no route to the attached subnet. The non-compliant computer may legitimately gain limited access to a domain name server (DNS) and remediation servers on the network only when the DHCP server assigns a limited set of host routes to those computers using the Classless Static Routes DHCP option. However, an attacker can bypass this entire mechanism by simply statically configuring a valid default gateway and IP subnet.
In order to thwart an attacker attempting to bypass the DHCP routing settings, some NAC solutions have implemented a network-based enforcement mechanism that locks down a suspect source IP address that does not appear to have been assigned by a DHCP server. Network-based approaches to enforcement are generally considered to be far more secure than host-based approaches such as DHCP since they are far more difficult for an attacker to bypass. This is because it is generally much harder for an attacker to reconfigure the network settings on a switch or other type of connection point than to reconfigure their own device.
One example of such a network-based enforcement mechanism is an IP security feature of the switch operating system sold under the trademark “Extreme XOS” by Extreme Networks, Inc., of Santa Clara, Calif., the assignee of the present application. The Source IP Lockdown feature automatically places source IP address filters on specified ports of a switch such that only traffic from a valid DHCP-assigned source IP address or an authenticated static source IP address is allowed to enter the network. In this way, the network is protected from attacks that use random source IP addresses for their traffic. However, because this feature is limited to filtering traffic based on the source IP address alone, it does not protect the network from attacks that bypass the other routing settings that are provided by DHCP, such as the default gateway and IP subnet settings.