Home page logo
/

basics logo Security Basics mailing list archives

RE: Down with DHCP!!!!
From: Murad Talukdar <talukdar_m () subway com>
Date: Mon, 20 Feb 2006 09:11:54 +1000

That sounds like a big project to try and undertake and you're probably
right that the network guys will kick up a fuss.

The payoff between security and useability is highlighted all too well in
your case.

I guess you'd need to try and work out how often things do change at the
office-this could be the biggest stumbling block.

Clearing out old records (dns etc) can be a big problem even in a small
office--things like pings can come unstuck often if there are old records
hanging about so I'm not sure if you'll be chasing  old records more or less
in your proposed situation. (I'm guessing less).

Regards
Murad Talukdar

-----Original Message-----
From: gigabit () satx rr com [mailto:gigabit () satx rr com] 
Sent: Saturday, February 18, 2006 4:31 AM
To: security-basics () securityfocus com
Subject: Down with DHCP!!!!

ok, some background...

i have transfered from network engineering to the information security 
group for my company, which is mid-sized with about 2000 employees 
across 90 locations (financial).

the lessons learned from being in network engineering is that they are 
first and foremost concerned with maintaining the production 
environment.  the management processes/procedures are completely 
disregarded if it is deemed necessary to "get something done".

as i try to build out a security plan for how to deal with 
servers/routers/end users, i keep coming to the conclusion that it will 
be meaningless unless control can be taken over what the other 
department is doing (network engineering).  the one commonality for all 
devices on the network is that they have an IP address.

i would like to propose to management that dhcp should be disabled, so 
as to force the building of a database that will hold all of the 
information needed to begin a comprehensive security policy.  the 
security group would manage the database to ensure that we are 
collecting information (such as O/S, IOS version, anti-virus 
compliance...)

i realize this will incur more work for those poor souls that have to 
deploy hardware, but i believe the benefits out-weigh the costs.  the 
benefits i see:

1.  once a branch location is staticly addressed, we have a working 
inventory of what is out there.

2.  a more secure environment.  no longer can users bring in non-
company owned devices and place them on our production network (which 
is already a policy---that isn't policed).

3.  i can setup automated scripts that check MAC addresses to IP 
addresses on the router ARP tables to check for spoofing.

our branch locations don't change very often.....some are still on 
token ring for god's sake, so i don't really see that much more 
workload.

Has anyone else dropped DHCP as a management/compliance decision?

thanks.

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning,

Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------





---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault