mailing list archives
Re: Down with DHCP!!!!
From: gigabit () satx rr com
Date: Wed, 22 Feb 2006 09:58:08 -0600
Thanks for all of your responses....most were thoughtful and
considered. Here are some issues/concerns addressed by some of you and
my responses: (the quotes are for effect, and not totally accurate)
1. "You are trying to use DHCP to fix a management problem".
Absolutely! I'm trying to bridge the gap between policy and actual
implementation. We already have policies, but they are not enforced
and do not reflect the actual production environment. Having a
centralized method to track every thing that is added to the network
then allows for the beginings of security. For the InfoSecurity office
to work, it must be made aware of new items added to the network, this
is a process that forces anything to go through InfoSecurity right from
2. "What you are proposing is un-manageable, you will be the
bottleneck for everyone"
Two things. As I have stated in my original post, my enviroment does
not change very often (still have tokenring at some locations).
Secondly I didn't elaborate on my master plan for implementation.
I want to get the Lotus Notes guys to help me build my database so that
it is web-enabled. You are a PC tech about to deploy a PC, you go to
ip.company.com (internal, secure website). You follow some drop down
menus to choose region, location, floor to get the next IP address.
You fill out the required information (user, inventory number, OS,
virus.....) Through the magic of work-flow, your taking of an IP
address triggers an email to the security office, who then review and
audits what has happened (probably a weekly process). The PC tech that
is not complying with the information gathering request or is not
accurate in the information produced gets some form of remediation.
3. "Someone with basic knowledge will pick the next address, and cause
an IP conflict"
Once the system is in place, I will have the ability to then track what
is happening at the branch locations, to include the presence of a new
un-assigned IP address. My plan to do this is using automated scripts
that pull information from branch routers that can then look for
anomalies. Once the conversion happens at a branch, I establish my
baseline mapping MACs to IPs and compare daily/hourly/weekly scripts
against that baseline. If an IP conflict does happen and my stuff
doesn't catch it, it will generate a help desk call which will lead to
the identification of the problem and some form of remediation for the
user who caused the problem. (Something they were not supposed to be
doing due to existing policies).
4. "What you are doing is worthless, MAC spoofing gets around it"
I understand that this does not solve the MAC spoofing problem. Some
day I hope to implement 802.1x port based authentication, but that
requires hardware that I don't have right now. I do believe that MAC
spoofing is a more advanced concept and most users would make the leap
that using such tools is in serious violation of our "computing
polcies". My plan will allow me to target the people that bring in
equipment to by-pass our system security settings and people who allow
un-authorized guest connections to our internal LAN.
5. "Your gonna screw yourself if you have to make DNS/Gateway changes
I have difficulty seeing how this is a problem for two reasons. First
we have redundant DNS servers, and if one dies the IP will remain while
the server gets rebuilt. Secondly, once we have accounted for all the
PCs at a branch, we can proceed with installing our remote management
agent which will allow us to change whatever has to change remotely.
We also have the ability to alter system settings via login scripts if
needed. Interestingly, the other person to support my idea is the guy
in charge of client PC computing. His department will have to deal
with the brunt of the work to make this happen, but he sees the benefit
of having a thorough account of what is out there.
I think I have to stress that what I am proposing is more a way to
force the intergration of the InfoSecurity office to the Network
Engineering and Client support offices. The seperation of powers of
these offices makes sense, but truth be told the security office is the
only one that has mapped out procedures and actually has the
consistency checks in place to be accountable. However much work has
to happen initially, I really think this process will make a difference
in our overall security/management plan.
thanks again for all your responses.
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.
- Re: Down with DHCP!!!!, (continued)