Re: Down with DHCP!!!!

[alwork () alsutton com]

I've previously worked in environments that disabled DHCP and all that
happened was that techies went to their windows desktop, found out it's IP
using ipconfig, unplugged the network cable from it, and plugged it into
their own equipment which they then configured with the correct IP
address. MAC addresses can also be "configured" on many operating systems,
so event ARP checking isn't a guarantee that machine you've got on your
net is the correct one.

Another point to note is that DHCP doesn't inherantly mean that you're
assigning any IP address from a range to each machines. You can use DHCP
to issue the a fixed address to a machine so that every time the machine
renews its DHCP lease it gets the same IP address.

My advice would be as follows;

1) Put MAC address filtering on your routers. This will reduce the chances
of non-authorised equipment being attached to the network. You may have
users who know how to change the MAC address their network card presents,
but if they have that kind of knowlege you should probably already know
them and have worked out if they represent a risk to the security of your
network.

2) Leave DHCP enabled. The centralised management interface of DHCP
servers gives you two big advantages over setting the IP connection
information for each machine;
a) It is far easier to monitor which machines have which IP addresses and
create temporary rules for users who visit many offices than having a
spreadsheet or database that may become out of date.
b) If you need to change some part of your infrastructure (such as default
route and/or DNS servers due to equipment failure), it will be far less
painful to do it via DHCP than requiring techies to visit each desktop.

3) Use statically assigned IP addresses in your DHCP server. This will
give you the easy IP to physical box tracking that you want.

Hope this is useful,

Al.
---
Al Sutton
Argosy TelCrest
www.argosytelcrest.com


> ok, some background...
>
> i have transfered from network engineering to the information security
> group for my company, which is mid-sized with about 2000 employees
> across 90 locations (financial).
>
> the lessons learned from being in network engineering is that they are
> first and foremost concerned with maintaining the production
> environment.  the management processes/procedures are completely
> disregarded if it is deemed necessary to "get something done".
>
> as i try to build out a security plan for how to deal with
> servers/routers/end users, i keep coming to the conclusion that it will
> be meaningless unless control can be taken over what the other
> department is doing (network engineering).  the one commonality for all
> devices on the network is that they have an IP address.
>
> i would like to propose to management that dhcp should be disabled, so
> as to force the building of a database that will hold all of the
> information needed to begin a comprehensive security policy.  the
> security group would manage the database to ensure that we are
> collecting information (such as O/S, IOS version, anti-virus
> compliance...)
>
> i realize this will incur more work for those poor souls that have to
> deploy hardware, but i believe the benefits out-weigh the costs.  the
> benefits i see:
>
> 1.  once a branch location is staticly addressed, we have a working
> inventory of what is out there.
>
> 2.  a more secure environment.  no longer can users bring in non-
> company owned devices and place them on our production network (which
> is already a policy---that isn't policed).
>
> 3.  i can setup automated scripts that check MAC addresses to IP
> addresses on the router ARP tables to check for spoofing.
>
> our branch locations don't change very often.....some are still on
> token ring for god's sake, so i don't really see that much more
> workload.
>
> Has anyone else dropped DHCP as a management/compliance decision?
>
> thanks.
>
> ---------------------------------------------------------------------------
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The Norwich University program offers unparalleled Infosec management
> education and the case study affords you unmatched consulting experience.
> Tailor your education to your own professional goals with degree
> customizations including Emergency Management, Business Continuity
> Planning,
> Computer Emergency Response Teams, and Digital Investigations.
>
> http://www.msia.norwich.edu/secfocus
> ---------------------------------------------------------------------------



---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------