Security Basics mailing list archives

RE: Down with DHCP!!!!

From: "Michael J. Benedetto" <mbenedetto () amnh org>
Date: Thu, 23 Feb 2006 11:32:48 -0500

Mostly what I see from your original post and subsequent response to the
critiques that followed is that you have already made up your mind as to
what you want to do, but decided to post to the list for validation (which
for the most part you did not get).

Your heavy handed approach will gain you nothing but disdain from the
Network Engineering folks. One of your first proposals is to take away a
tool (DHCP) that they see as critical and produce in its place a draconian,
and frankly unmanageable, framework that will add more work to them and get
you very little in return. You seem not to trust the Network group now, but
yet your new system requires you to trust them with providing you correct
information. Oh sure, you'll audit them (perhaps weekly) but a lot of damage
can be done before you even get around to looking at what they entered. Your
new system will cause them to find every way possible to circumvent you (I
can guarantee this) if for no other reason to spite you.

If your policies are not being met, then first review the policies to make
sure they are even reasonable. More often than not I have seen information
security plans and policies that are too extreme and unworkable from the
outset (usually written by overzealous and new InfoSec guys). If the
policies are reasonable, then work with the Network guys and PC support
staff and management on a plan to put reasonable procedures and policies in
place to bring everyone in compliance gradually. Work WITH your colleagues
rather than AGAINST them if you want their cooperation. Make them part of
the solution, not enemies of it.

There is an old story that if you want to cook a live frog, you should put
them in cool comfortable water and gradually turn up the heat. Before you
know it the frog will be perfectly cooked just the way you want them and
never know what happened. If you try to throw a live frog into already
boiling water they will do everything they can to escape. Take away the
tools your Network staff needs to work and they will try to hop right out of
the pot of boiling water you have created for them.

We've suggested dozens of ways to accomplish what you want to accomplish
without making your colleagues the enemy. Choose whichever way you want to
go, just don't say we didn't warn you.

-Mike

Attachment: smime.p7s
Description:

Current thread:

Re: Down with DHCP!!!!, (continued)
- Re: Down with DHCP!!!! tagrrr (Feb 21)
- Re: Down with DHCP!!!! rob . lucchetti (Feb 21)
- Re: Down with DHCP!!!! someone (Feb 21)
- Re: Down with DHCP!!!! a_wirtz (Feb 21)
- RE: Down with DHCP!!!! Steven Johnston (Feb 21)
- Re: Down with DHCP!!!! jalvare7 (Feb 21)
- RE: Down with DHCP!!!! Jasun Tate (Feb 21)
- Re: Down with DHCP!!!! gigabit (Feb 22)
  - Re: Down with DHCP!!!! tandernam (Feb 22)
  - Re: Down with DHCP!!!! Brian Loe (Feb 22)
  - RE: Down with DHCP!!!! Michael J. Benedetto (Feb 23)
- RE: Down with DHCP!!!! Steven Jones (Feb 22)
- RE: Down with DHCP!!!! Bergert, David (Feb 23)
- Re: RE: Down with DHCP!!!! anon (Feb 24)
- Re: Re: RE: Down with DHCP!!!! jctcmb (Feb 25)
- Re: Re: Re: RE: Down with DHCP!!!! me (Feb 27)