Secure Your Network: Best Practices for Antamedia DHCP Server
1. Isolate DHCP service
- Place DHCP on a dedicated, non-domain host (e.g., separate VM or appliance) to reduce attack surface.
- Run DHCP only on the LAN interface used for clients; do not expose it to the Internet interface.
2. Prevent rogue DHCP servers
- Disable other DHCP services on the same subnet (router/AP DHCP, Windows ICS).
- Enable DHCP snooping on managed switches where available; configure trusted ports for Antamedia server.
- Use 802.1X or port-security to restrict which devices can connect and respond to DHCP requests.
3. Harden Antamedia/OpenDHCP configuration
- Set correct listen/interface in OpenDHCPServer/Antamedia DHCP settings so it binds only to the client NIC.
- Define precise IP pools and exclusions (exclude APs, infrastructure) to avoid conflicts.
- Shorten lease time for guest networks (e.g., 2–8 hours) and use longer leases for trusted/static devices.
- Reserve IPs for critical devices via static mappings rather than relying on DHCP-assigned addresses.
4. Secure name resolution and gateway settings
- Specify trusted DNS servers (ISP or public resolvers like 8.8.8.8) in DHCP options; avoid handing out attacker-controlled DNS.
- Set correct default gateway in DHCP to prevent gateway spoofing; ensure gateway is a trusted router/firewall.
5. Access control and authentication
- Limit admin UI access to a management VLAN or localhost; do not allow Configuration Manager from the visitor network or Internet.
- Use strong, unique admin passwords and change defaults.
- Create limited operator accounts for routine tasks rather than sharing the admin account.
6. Network segmentation
- Place guest/visitor clients on isolated VLANs with separate DHCP scopes; block lateral movement and limit access to internal resources.
- Use ACLs/firewall rules between VLANs; allow only necessary services.
7. Logging, monitoring & backups
- Enable and forward DHCP logs to a central syslog/SIEM for anomaly detection (rogue leases, spikes).
- Monitor lease usage and address exhaustion to detect floods or misconfigurations.
- Regularly back up Antamedia/ OpenDHCPServer configuration and static IP-MAC mapping files.
8. Patch management & least privilege
- Keep Antamedia software and underlying OS up to date with security patches.
- Run the DHCP service with least privilege (non-admin account/service) where supported.
9. Additional protective measures
- Implement MAC filtering or IP–MAC static mapping for high-security segments (note: MACs can be spoofed).
- Use DHCP option restrictions to avoid delivering unnecessary options that could be abused.
- If multiple subnets exist, use DHCP relay/bootp-relay on trusted routers rather than exposing DHCP across untrusted links.
10. Recovery & testing
- Document DHCP scope plans, exclusions, and reservations.
- Test failover and restoration procedures (restore config, reload leases) to minimize downtime if the DHCP server fails.
If you want, I can produce a concise checklist tailored to a small office, campus hotspot, or enterprise deployment.
Leave a Reply