ClearNet Security

When a standard DHCP client connects to a network, it sends a network broadcast message requesting an IP address.  In response, a listening DHCP server may dynamically allocate and assign an IP address to the requesting client.  The idea of quarantining devices is straight-forward when restricting the scope to only DHCP clients.  The concept is simply to temporarily assign the client an IP address which is outside the range of your valid internal network blocks.  For example, if your internal network is all within the 10.0.0.0/8 block, you could configure a special DHCP server to only allocate IP addresses within the 192.168.1.0/24 block.  Devices receiving a 192.168.1.xxx address would, in theory, be unable to communicate with any services on the 10.0.0.0/8 block – hence quarantining each.  Now, without additional functionality, this solution is incomplete.  Additional features are needed to create a solution that works.  To develop a basic system there needs to be a method to test or obtain information about connecting clients and a method to assign each a new IP address after the device is deemed acceptable.  The criteria for testing may be as basic as checking the end-point device for open ports.  If ports are open which are prohibited, the device remains quarantined; otherwise the device passes the policy checks and may receive a new non-quarantined IP address.  Here is a simplified diagram illustrating the flow:

DHCP quarantining works by dispensing IP addresses based on the state of the client.  If you create a list of properties you want all devices to exhibit before being permitted to access network resources, then you can develop a policy used to verify client state.  The DHCP server then becomes a component of a system to enforce the policies you create.

In an upcoming blog I'll toss out several ways to circumvent DHCP quarantining "security".