Home page logo

basics logo Security Basics mailing list archives

Re: Down with DHCP!!!!
From: Jason Healy <jhealy () logn net>
Date: Sat, 18 Feb 2006 18:27:33 -0500

On Feb 17, 2006, at 1:31 PM, gigabit () satx rr com wrote:
i would like to propose to management that dhcp should be disabled, so
as to force the building of a database that will hold all of the
information needed to begin a comprehensive security policy.

You're describing features that are good to have on a network, but they don't really have anything to do with DHCP. DHCP is there to make your (the network admin's) life easier; turning it off will just make more work for you, without any real added security.

the security group would manage the database to ensure that we are
collecting information (such as O/S, IOS version, anti-virus

If you're looking for compliance, you might be better off with a device that involves a scanning agent. I know there are a few open source products gearing up for this (PacketFence, Ungoliant, etc) and also existing commercial options from Cisco, Bradford (Campus Manager) and others. The latter products require an agent scan of a machine before it is allowed onto the network. The scan data can be entered into a database, helping with basic compliance and asset tracking.

1.  once a branch location is staticly addressed, we have a working
inventory of what is out there.

OK, but this has nothing to do with DHCP. In fact, you could easily enter MAC addresses into your inventory database, and dump that out into your DHCP server, so that it hands out long-lived IP addresses to known clients.

2.  a more secure environment.  no longer can users bring in non-
company owned devices and place them on our production network (which
is already a policy---that isn't policed).

Um... can't they just manually configure their machine with an address that's on the subnet? While it won't be as simple as just plugging the device in and acquiring an address, it's not really going to stop anyone who wants to get on the network.

If non-auto-configuration is good enough for you, just set your DHCP server to disallow "unknown" clients, and they'll be just as locked out as they would be with pure manual assignment. As an added bonus, your DHCP server will log the failed attempts with their MAC address, so you can hunt down offenders.

3.  i can setup automated scripts that check MAC addresses to IP
addresses on the router ARP tables to check for spoofing.

That addresses the security issue somewhat, but has nothing to do with DHCP. You could use this system with DHCP addresses as well (and, in fact, DHCP helps you with this, since it hands out addresses based on MAC address). Of course, there's always MAC spoofing... =)

You're right to want security on your network, but DHCP is not the evil you need to eliminate. If you're serious about preventing unauthorized access, you need to look at how to detect and/or prevent unauthorized access at the MAC level, and enforce policy there. DHCP is just a tool to help you from having to configure things by hand.


Jason Healy    |    jhealy () logn net    |   http://www.logn.net/

The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]