Security Basics: RE: About War Driving ..

["Erick Jensen" <ejensen () vibrant com>]

The entire staff of the University of Minnesota is also run that way.
The students with wireless laptops are the only computers with DHCP
access.  The ports are bound to an IP and if you don't have it right,
you don't get access.

It is a pain, unless you have good documentation.  We had a nice
database to work from, so there were only a few isolated problems.  

It's do-able if you have the right setup from the ground up!

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of FatalSaint
Sent: Wednesday, December 06, 2006 5:35 PM
To: Brian Loe
Cc: security-basics () securityfocus com
Subject: Re: About War Driving ..

> I haven't been following this thread but I'm just wondering how big of
> a network is being supported/discussed when discussing the turning off
> of DHCP and managing the static IPs and static routes?
Not sure I follow.

Leaving DHCP open with no filtering and just randomly assigning
addresses
makes auditing and tracking an admin's nightmare in incident response. 
Whatever size network.

I run my own smaller networks with 15 or so on the LAN and less than 10
on the DMZ.

I've also worked with the largest Windows Active Directories in the
world (AD's that span from Hawaii to Maine in the US - and every state
in between); who also use Static IP's with Port Security on every LAN
Access jack.  If you plug the wrong IP or MAC into a network jack, it is
immediately disabled and the admin's are notified (granted there is
huge admin staff with seperate divisions at each larger site with main
server banks in various locations).

My father was 1 of maybe 3 or 4 Systems administrators in a company with
about 300 users.

All of the above were static.  And when there were security incidents
there were logs and details and a place to start. When a user check's
in, they are assigned a PC, with a MAC and an IP and it's is put inside
an encrypted log file.

I'm not saying I'm an expert here.. but so far in my experience I've
never seen an absolute need for DHCP that outweighs the risk of allowing
unauthorized PC's to get on your network.  At least make an intruder
work for it.

On 12/6/2006, "Brian Loe" <knobdy () gmail com> wrote:

> I haven't been following this thread but I'm just wondering how big of
> a network is being supported/discussed when discussing the turning off
> of DHCP and managing the static IPs and static routes?
>
> There's something to be said for simplicity and an admin with a light
> work load when it comes to security...IMHO.
>
> On 12/5/06, FatalSaint <admin () linuxniche com> wrote:
> > Ansgar -59cobalt- Wiechers wrote:
> > > 2) Disable DHCP if you have it running or
> > --Pointless, because the attacker can spoof a valid IP address.
> >
> >
> > Correct - tack on some time for him to find one.
------------------------------------------------------------------------
---
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetec
t
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------