Home page logo

basics logo Security Basics mailing list archives

Re: Down with DHCP!!!!
From: "Brian Loe" <knobdy () gmail com>
Date: Wed, 22 Feb 2006 19:39:10 -0600

On 2/22/06, gigabit () satx rr com <gigabit () satx rr com> wrote:

1.  "You are trying to use DHCP to fix a management problem".

Absolutely!  I'm trying to bridge the gap between policy and actual
implementation.  We already have policies, but they are not enforced
and do not reflect the actual production environment.

If MANAGEMENT can not or will not enforce policies already in place,
how does your project change that? So you've added several layers of
difficulty to adding a machine or device to the network by a trusted
IT employee, but you've provided no more enforcement than you have

Having a centralized method to track every thing that is added to the network
then allows for the beginings of security.  For the InfoSecurity office
to work, it must be made aware of new items added to the network, this
is a process that forces anything to go through InfoSecurity right from
the start.

This isn't true, but I'll explain where you show why it isn't true below...

2.  "What you are proposing is un-manageable, you will be the
bottleneck for everyone"
Two things.  As I have stated in my original post, my enviroment does
not change very often (still have tokenring at some locations).
Secondly I didn't elaborate on my master plan for implementation.
I want to get the Lotus Notes guys to help me build my database so that
it is web-enabled.  You are a PC tech about to deploy a PC, you go to
ip.company.com (internal, secure website).  You follow some drop down
menus to choose region, location, floor to get the next IP address.
You fill out the required information (user, inventory number, OS,

So a human, that now UNtrusted IT employee is telling you what he's
adding to the network, and based on that he's going to get an IP
address...the disconnect there is obvious.

Through the magic of work-flow, your taking of an IP
address triggers an email to the security office, who then review and
audits what has happened (probably a weekly process).

So a week goes by before anyone even cares what has been added to the
network. You've already implied that you don't trust your IT
employees, but now you're going to trust them enough to add anything
they want to the network - for a week at least. Boy, if I just handed
in my two week notice, and this is my last week, and I've already
figured out your audit schedule...you're hosed.

The PC tech that
is not complying with the information gathering request or is not
accurate in the information produced gets some form of remediation.

Or he fat fingured something and has to remember that he fat fingured
something a week ago to save his job...

 If an IP conflict does happen and my stuff
doesn't catch it, it will generate a help desk call which will lead to
the identification of the problem and some form of remediation for the
user who caused the problem.  (Something they were not supposed to be
doing due to existing policies).

Duplicate IPs will cause a problem before you find out about it.
Besides which, no one mentioned IP conflicts, they were talking about
someone simply picking the next available IP. They'll have access as
soon as that happens.

4.  "What you are doing is worthless, MAC spoofing gets around it"

I understand that this does not solve the MAC spoofing problem.  Some
day I hope to implement 802.1x port based authentication, but that
requires hardware that I don't have right now.  I do believe that MAC
spoofing is a more advanced concept and most users would make the leap
that using such tools is in serious violation of our "computing
polcies".  My plan will allow me to target the people that bring in
equipment to by-pass our system security settings and people who allow
un-authorized guest connections to our internal LAN.

So who are you protecting yourself from in the first place? Most users
don't know enough to cause a problem with your CURRENT policies and
lack of enforcement - so THEY are not the ones you're hardening

Interestingly, the other person to support my idea is the guy
in charge of client PC computing.  His department will have to deal
with the brunt of the work to make this happen, but he sees the benefit
of having a thorough account of what is out there.

That's not intersting, he's the one charged with policy enforcement
and he's not doing it. You're selling him something with the marketing
spin that it will enforce policies, he's dumb enough to believe it.
Typical manager, ain't it?

I appreciate your wanting to get "control" of the environment, but
that's not really your job - unless your security department is far
different than any other I've been involved with (and worked). You are
trying to put a square block through the round peg. If policies not
being enforced is the problem, then the fix is enforcing the policies.
The idea you have isn't wrong, just wrong minded. You have to consider
how much you are spending vs. the amount of security you are getting.
From what you have detailed here you're essentially "getting by"
without port security (maybe you need to save up for that technology?)
and implementing what is essentially an overwraught inventory system -
one that would be better implemented with a real product (several
available - Intuit has one even)... if you look hard enough you might
even find the company already owns one (Enterprice AV perhaps; MS

Lastly, if your switches are so old, how secure can they be? Are they
devices with a million known exploits, with no updates - or support -
available anymore? If so, put some trust back in your coworkers and
spend the money and time on upgrading your network infrastructure.

The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]