RE: Down with DHCP!!!!

["Makousky, Steve C" <SMAKOUS1 () Fairview org>]

What about just opting for Authenticated DHCP.
New user machines coming on the wire would have to register their MAC
address with a central database (there are products out there that do
this) they would then be given an address.
Server should probably not be using DHCP, unless it static, and even
then I would argue against it.

Hard coding each user box with an IP may be a hard sell....But I hear
what you are saying. 

-----Original Message-----
From: gigabit () satx rr com [mailto:gigabit () satx rr com] 
Sent: Friday, February 17, 2006 12:31 PM
To: security-basics () securityfocus com
Subject: Down with DHCP!!!!

ok, some background...

i have transfered from network engineering to the information security
group for my company, which is mid-sized with about 2000 employees
across 90 locations (financial).

the lessons learned from being in network engineering is that they are
first and foremost concerned with maintaining the production
environment.  the management processes/procedures are completely
disregarded if it is deemed necessary to "get something done".

as i try to build out a security plan for how to deal with
servers/routers/end users, i keep coming to the conclusion that it will
be meaningless unless control can be taken over what the other
department is doing (network engineering).  the one commonality for all
devices on the network is that they have an IP address.

i would like to propose to management that dhcp should be disabled, so
as to force the building of a database that will hold all of the
information needed to begin a comprehensive security policy.  the
security group would manage the database to ensure that we are
collecting information (such as O/S, IOS version, anti-virus
compliance...)

i realize this will incur more work for those poor souls that have to
deploy hardware, but i believe the benefits out-weigh the costs.  the
benefits i see:

1.  once a branch location is staticly addressed, we have a working
inventory of what is out there.

2.  a more secure environment.  no longer can users bring in non-
company owned devices and place them on our production network (which is
already a policy---that isn't policed).

3.  i can setup automated scripts that check MAC addresses to IP
addresses on the router ARP tables to check for spoofing.

our branch locations don't change very often.....some are still on token
ring for god's sake, so i don't really see that much more workload.

Has anyone else dropped DHCP as a management/compliance decision?

thanks.

------------------------------------------------------------------------
---
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich
University program offers unparalleled Infosec management education and
the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity
Planning, Computer Emergency Response Teams, and Digital Investigations.


http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------