Page tree

Contents


The NIOS appliance utilizes DHCP fingerprint detection to identify IPv4 and IPv6 mobile devices such as laptop computers, tablets and smart phones, on your network. Due to the broadcast and pervasive nature of DHCP, using DHCP fingerprint detection is an efficient way to perform system identification and inventory. You can use DHCP fingerprint detection to track devices on your network, block those that are not allowed (such as gaming consoles and home routers), and plan for future growth by accessing trending information such as the number of Apple iPhones versus that of Android phones.

When a remote DHCP client sends a DHCP REQUEST message, it includes a set of DHCP options, such as option 55 and 60. Option 55 contains an option number sequence the appliance uses to interpret the list of DHCP options that the client requests. The appliance returns the values of these requested options if the information is available.
Option 60 contains a value that indicates the device type of the requesting client. Information in option 55 or 60 is incorporated to form a unique identifier known as the DHCP fingerprint, which the appliance uses to identify the requesting client.
On an Infoblox appliance, DHCP fingerprint detection is enabled by default for all new installations. You can disable this feature at the Grid and member levels. For information, see Enabling and Disabling DHCP Fingerprint Detection. As illustrated in Figure 38.1, the appliance automatically matches option 55 and then option 60 in DHCP REQUEST messages against standard and custom DHCP fingerprints in the database. Once the appliance finds a match, it either grants or denies a lease to the requesting client based on the DHCP fingerprint filters that you apply to the DHCP range. For information about how to configure DHCP fingerprints, see Configuring DHCP Fingerprints. For information about how to define and apply DHCP fingerprint filters, see Defining DHCP Fingerprint Filters and Applying Filters to DHCP Objects. To obtain trending information about the top OSs (operating systems) or vendor IDs for remote clients, Infoblox provides a few reports from which you can extract data. For information about reports, see Infoblox Reporting and Analytics.
Figure 38.1 DHCP Fingerprint Detection

About DHCP Fingerprints

When a DHCP client sends a REQUEST message and includes DHCP option 55 (the parameter request list) and option 60 (the vendor identifier), it provides information about its OS and device type. The combination of the option sequence or vendor ID in option 55 or 60 is used to infer the OS and device type of the remote client. These parameters are then incorporated into a DHCP fingerprint that provides unique information about this client.
For example, the option number sequence for a Microsoft Windows XP system in option 55 can be one of the following:

1,15,3,6,44,46,47,31,33,249,43
1,15,3,6,44,46,47,31,33,249,43,252
1,15,3,6,44,46,47,31,33,249,43,252,12
15,3,6,44,46,47,31,33,249,43
15,3,6,44,46,47,31,33,249,43,252
28,2,3,15,6,12,44,47

The option number sequence for an Apple iPhone can be one of the following:

1,3,6,15,119,78,79,95,252
1,3,6,15,119,95,252,44,46,47

In addition, DHCP option 60 tracks vendor ID. This information can be very generic or quite specific. For example, the vendor ID MSFT 5.0 for a Microsoft Windows XP system and a Windows Vista system can be the same. For certain Cisco VoIP devices, the vendor ID can be Cisco Systems, Inc. IP Phone, which is very generic; or it can be Cisco Systems, Inc. IP Phone 7912, which is more specific. Depending on how specific the option number sequence and the vendor ID are, this information can form a unique identifier, the DHCP fingerprint, for a remote client.

Note

If you have enabled firewall, and if the corresponding firewall rules or policies are set to modify options 55 and 60 of the remote DHCP client to mask the identity of the client, then NIOS fingerprinting will not be able to fingerprint the clients.

This page has no comments.