Home page logo

basics logo Security Basics mailing list archives

Re: Down with DHCP!!!!
From: tagrrr () gmail com
Date: 20 Feb 2006 18:49:35 -0000

Hey there,
First of all, I applaud your effort and motivation to bring additional security to your networks. You are definitely 
taking a huge leap in the right direction as far as thinking outside the box for innovative ideas and not settling for 
status quo. However, with that said, I think that disabling DHCP will not be the best thing to do for a few reasons:

1.      Managing static address pools is a nightmare, unless you have a full-time resource to do it. I remember “the 
old days,” and that is a fire that can easily out of control. It leads to people forgetting to tell you when they used 
one, etc, etc, and before you know it your inventory is useless.  
2.      You will become the enemy of your network team. If they have an extra step to take, and always have to come to 
you for an address (or have to tell you each time they use one,) that will get old quick and you don’t want to loose 
your friends on the network side.
3.      Even with your best efforts, assigning static addresses will not insure that someone who knows what they are 
doing cannot figure out your addressing scheme and assign themselves an open address. Yes, you can control this through 
strict ACLs that only allow the addresses that you assigned to help, but that is even more management on your part.
4.      What about some of the benefits that you will be loosing from your DHCP services? What if you want to assign a 
new IP addresses for your DNS server for example, it may get as bad as you having to go manually change every entry. 
Additionally, you will loose some flexibility in the logging capabilities that can help in forensic cases. If you set 
up your environment right, you should be able to match a login name with an assigned IP, which helps a lot in 
environments where people roam around a lot. This also helps in tracking down systems with viruses, etc to poll your 
DHCP server to see exactly who has that IP address, whereas a static address list that is out of date may seriously 
hurt you.

These are just a few of the random things to think about when looking at changing from a DHCP environment to a static 
one. I have been on both sides of the fence in my career, and hands-down prefer the DHCP method. Another thing to think 
about would be looking at securing your DHCP services more, have you looked at general best practices, or perhaps what 
companies like Metainfo are doing in the Secure DHCP market? For instance, I know that a lot of vendors are 
specifically harnessing DHCP to assist with NAC implementations, which will take care of those AV/Patch levels and 
those users who bring in their home PC to plug into the network. 

Anyways, I will stop rambling on, that is just my .02 though. The bottom line once again though is that you look to be 
on the right track of becoming an extremely valuable security professional. Don’t ever stop thinking of new and 
innovative ways to increase security.

The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]