Home page logo

basics logo Security Basics mailing list archives

Re: Down with DHCP!!!!
From: "Bryan S. Sampsel" <bsampsel () libertyactivist org>
Date: Fri, 17 Feb 2006 22:41:41 -0700 (MST)

Actually I supported a network of 2000 systems where the site required
static IPs.

1) your assumption about security is flawed.  People can easily take their
assigned desktop IP and either guess a second one (and hope it's not in
use) or unplug their assigned system and swap.

2) data integrity is an impossible target.  Without data integrity, you've
bought yourself nothing.  Getting technicians to keep up with data will
get lost to expediency of the immediate problem at hand, most often:

A better solution is to implement a switching infrastructure that can
handle mac-based port security.  It's not perfect, as MACs can be spoofed
by someone knowledgable.  However, you have your choices of ports that
auto-disable themselves -- which forces the user to contact IT and get
into trouble, block traffic only while an unauthorized MAC is on the port,
or you can set up a RADIUS server with a database of authorized MAC
addresses that allows your users to move equipment (but only that
equipment authorized by IT).

Static IP addresses are no more secure.  It's smoke and mirrors.

Just some thoughts after three years of dealing with the issue you're
wanting to tackle.


Bryan S. Sampsel

The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]