Home page logo

basics logo Security Basics mailing list archives

Re: Down with DHCP!!!!
From: Neil <neil () voidfx net>
Date: Sun, 19 Feb 2006 10:34:51 +0530

gigabit () satx rr com wrote:
ok, some background...

i have transfered from network engineering to the information security group for my company, which is mid-sized with about 2000 employees across 90 locations (financial).

the lessons learned from being in network engineering is that they are first and foremost concerned with maintaining the production environment. the management processes/procedures are completely disregarded if it is deemed necessary to "get something done".

as i try to build out a security plan for how to deal with servers/routers/end users, i keep coming to the conclusion that it will be meaningless unless control can be taken over what the other department is doing (network engineering). the one commonality for all devices on the network is that they have an IP address.

i would like to propose to management that dhcp should be disabled, so as to force the building of a database that will hold all of the information needed to begin a comprehensive security policy. the security group would manage the database to ensure that we are collecting information (such as O/S, IOS version, anti-virus compliance...)

i realize this will incur more work for those poor souls that have to deploy hardware, but i believe the benefits out-weigh the costs. the benefits i see:

1. once a branch location is staticly addressed, we have a working inventory of what is out there.

2.  a more secure environment.  no longer can users bring in non-
company owned devices and place them on our production network (which is already a policy---that isn't policed).

3. i can setup automated scripts that check MAC addresses to IP addresses on the router ARP tables to check for spoofing.

our branch locations don't change very often.....some are still on token ring for god's sake, so i don't really see that much more workload.

Has anyone else dropped DHCP as a management/compliance decision?


Well, let me start by saying that dropping DHCP is a teeny tiny step towards making your network more secure: every device that can use DHCP probably has an option to put in manual IPs...so they pick one and assign it, and they're in all the same.

On the other hand, yes, with static IPs, you could assign various permissions by IP, which you couldn't do with DHCP if the addresses changed. Of course, assigning by IP is about as secure as assigning by hostname (in the sense that if someone could take down the original owner, they could step into that spot and get all associated permissions).

My suggestion would be to use DHCP with MAC-based reservations. This would be like static addresses, except that you could manage it centrally (allowing you to change an IP address if you had need for whatever reason), and gives you the convenience of DHCP for visitors or whatnot. You could also probably rig something to check every IP against its reservation, which would let you see if you had any intruders on the network whose computers automatically grabbed an IP (since everything is automatic these days...).

The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]