Home page logo

basics logo Security Basics mailing list archives

Re: Down with DHCP!!!!
From: gigabit () satx rr com
Date: Wed, 22 Feb 2006 09:58:08 -0600

Thanks for all of your responses....most were thoughtful and 
considered.  Here are some issues/concerns addressed by some of you and 
my responses:  (the quotes are for effect, and not totally accurate)

1.  "You are trying to use DHCP to fix a management problem".

Absolutely!  I'm trying to bridge the gap between policy and actual 
implementation.  We already have policies, but they are not enforced 
and do not reflect the actual production environment.  Having a 
centralized method to track every thing that is added to the network 
then allows for the beginings of security.  For the InfoSecurity office 
to work, it must be made aware of new items added to the network, this 
is a process that forces anything to go through InfoSecurity right from 
the start.

2.  "What you are proposing is un-manageable, you will be the 
bottleneck for everyone"
Two things.  As I have stated in my original post, my enviroment does 
not change very often (still have tokenring at some locations).  
Secondly I didn't elaborate on my master plan for implementation.  
I want to get the Lotus Notes guys to help me build my database so that 
it is web-enabled.  You are a PC tech about to deploy a PC, you go to 
ip.company.com (internal, secure website).  You follow some drop down 
menus to choose region, location, floor to get the next IP address.  
You fill out the required information (user, inventory number, OS, 
virus.....)  Through the magic of work-flow, your taking of an IP 
address triggers an email to the security office, who then review and 
audits what has happened (probably a weekly process).  The PC tech that 
is not complying with the information gathering request or is not 
accurate in the information produced gets some form of remediation.

3.  "Someone with basic knowledge will pick the next address, and cause 
an IP conflict"

Once the system is in place, I will have the ability to then track what 
is happening at the branch locations, to include the presence of a new 
un-assigned IP address.  My plan to do this is using automated scripts 
that pull information from branch routers that can then look for 
anomalies.  Once the conversion happens at a branch, I establish my 
baseline mapping MACs to IPs and compare daily/hourly/weekly scripts 
against that baseline.  If an IP conflict does happen and my stuff 
doesn't catch it, it will generate a help desk call which will lead to 
the identification of the problem and some form of remediation for the 
user who caused the problem.  (Something they were not supposed to be 
doing due to existing policies).

4.  "What you are doing is worthless, MAC spoofing gets around it"

I understand that this does not solve the MAC spoofing problem.  Some 
day I hope to implement 802.1x port based authentication, but that 
requires hardware that I don't have right now.  I do believe that MAC 
spoofing is a more advanced concept and most users would make the leap 
that using such tools is in serious violation of our "computing 
polcies".  My plan will allow me to target the people that bring in 
equipment to by-pass our system security settings and people who allow 
un-authorized guest connections to our internal LAN. 

5.  "Your gonna screw yourself if you have to make DNS/Gateway changes 

I have difficulty seeing how this is a problem for two reasons.  First 
we have redundant DNS servers, and if one dies the IP will remain while 
the server gets rebuilt.  Secondly, once we have accounted for all the 
PCs at a branch, we can proceed with installing our remote management 
agent which will allow us to change whatever has to change remotely.  
We also have the ability to alter system settings via login scripts if 
needed.  Interestingly, the other person to support my idea is the guy 
in charge of client PC computing.  His department will have to deal 
with the brunt of the work to make this happen, but he sees the benefit 
of having a thorough account of what is out there.

I think I have to stress that what I am proposing is more a way to 
force the intergration of the InfoSecurity office to the Network 
Engineering and Client support offices.  The seperation of powers of 
these offices makes sense, but truth be told the security office is the 
only one that has mapped out procedures and actually has the 
consistency checks in place to be accountable.  However much work has 
to happen initially, I really think this process will make a difference 
in our overall security/management plan.

thanks again for all your responses.

The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]