Home page logo
/

basics logo Security Basics mailing list archives

RE: Down with DHCP!!!!
From: "Andrew Aris" <andrew () dev bigfishinternet co uk>
Date: Mon, 20 Feb 2006 15:32:19 -0000

The idea of a database of hardware versus IP address is a good one as its a
first port of call when building an idea of what is going on in the network.


Surely however as opposed to manually configuring each device in situ a
better idea would be to control address assignment at the DHCP level -
perform address reservation and make the licences non-expiring. This way you
get the benefits of both approaches. As long as you ensure that the
available range is matched to the "known" list then you wont have the
problems of unauthorised devices getting an address.

cheers,

Andrew


-----Original Message-----
From: gigabit () satx rr com [mailto:gigabit () satx rr com] 
Sent: 17 February 2006 18:31
To: security-basics () securityfocus com
Subject: Down with DHCP!!!!

ok, some background...

i have transfered from network engineering to the information 
security group for my company, which is mid-sized with about 
2000 employees across 90 locations (financial).

the lessons learned from being in network engineering is that 
they are first and foremost concerned with maintaining the 
production environment.  the management processes/procedures 
are completely disregarded if it is deemed necessary to "get 
something done".

as i try to build out a security plan for how to deal with 
servers/routers/end users, i keep coming to the conclusion 
that it will be meaningless unless control can be taken over 
what the other department is doing (network engineering).  
the one commonality for all devices on the network is that 
they have an IP address.

i would like to propose to management that dhcp should be 
disabled, so as to force the building of a database that will 
hold all of the information needed to begin a comprehensive 
security policy.  the security group would manage the 
database to ensure that we are collecting information (such 
as O/S, IOS version, anti-virus
compliance...)

i realize this will incur more work for those poor souls that 
have to deploy hardware, but i believe the benefits out-weigh 
the costs.  the benefits i see:

1.  once a branch location is staticly addressed, we have a 
working inventory of what is out there.

2.  a more secure environment.  no longer can users bring in 
non- company owned devices and place them on our production 
network (which is already a policy---that isn't policed).

3.  i can setup automated scripts that check MAC addresses to 
IP addresses on the router ARP tables to check for spoofing.

our branch locations don't change very often.....some are 
still on token ring for god's sake, so i don't really see 
that much more workload.

Has anyone else dropped DHCP as a management/compliance decision?

thanks.

--------------------------------------------------------------
-------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE 
The Norwich University program offers unparalleled Infosec 
management education and the case study affords you unmatched 
consulting experience. 
Tailor your education to your own professional goals with 
degree customizations including Emergency Management, 
Business Continuity Planning, Computer Emergency Response 
Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
--------------------------------------------------------------
-------------






---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]