Designing Access Controls
Choose the Endpoint Integrity Deployment Method
The DHCP deployment is less secure because sophisticated users can circum- vent the endpoint integrity checking. If users configure their endpoint with a valid static IP address (rather than relying on the DHCP server to provide an address), their endpoint will not be quarantined even if it fails endpoint integrity tests.
If your switch supports DHCP snooping and Address Resolution Protocol (ARP) protection, however, you can block traffic from users who configure their endpoint with a static IP address. For example, the ProCurve Switches 3500yl, 5400zl, and 6200yl support both features. If you enable DHCP snoop- ing, these switches protect your network against DHCP attacks by creating a DHCP snooping table, which tracks:
■MAC address
■IP address
■Lease time
■Binding type
■VLAN number
■Interface information that corresponds to each DHCP lease through an untrusted port
The switches can then use this table to protect your network against attacks such as ARP poisoning and ARP snooping. When you enable ARP protection, the switches verify the
Table