Security Basics mailing list archives
Re: Down with DHCP!!!!
From: Ruben Vanhoutte <ruben.vanhoutte () x-tremewebhosting net>
Date: Sun, 19 Feb 2006 14:03:54 +0100
Hi,I don't think switching off dhcp is the sollution... If you want to know the hardware, why not just switch to static dhcp? So that if a client wants to connect to the network, his MAC should be known by the dhcp server, and thus always gets the same IP. I new hardware is to be deployed, the hardware team just has to notify network engineers, so they can add the new MAC to the dhcp table, and it's done... Switching off dhcp mught lead to duplicate ip addresses, and the hardware team can do what they want with the ip's, ...
imho switching to static dhcp is the best sollution.. Kind Regards Ruben Vanhoutte Systems Admin X-Treme Webhosting Zakske 10 8000 Brugge Belgium Fortis 001-3688345-93 Btw: BE 518.853.394HR: 95181
http://www.xwh.be ****************************************************************************************The information contained in this message or any of its attachments may be confidential and is intended for the exclusive use of the addressee(s). Any disclosure, reproduction,
distribution or other dissemination or use of this communication is strictly prohibited without the express permission of the sender. Visibility email is for business use only. ***************************************************************************************** gigabit () satx rr com wrote:
ok, some background...i have transfered from network engineering to the information security group for my company, which is mid-sized with about 2000 employees across 90 locations (financial).the lessons learned from being in network engineering is that they are first and foremost concerned with maintaining the production environment. the management processes/procedures are completely disregarded if it is deemed necessary to "get something done".as i try to build out a security plan for how to deal with servers/routers/end users, i keep coming to the conclusion that it will be meaningless unless control can be taken over what the other department is doing (network engineering). the one commonality for all devices on the network is that they have an IP address.i would like to propose to management that dhcp should be disabled, so as to force the building of a database that will hold all of the information needed to begin a comprehensive security policy. the security group would manage the database to ensure that we are collecting information (such as O/S, IOS version, anti-virus compliance...)i realize this will incur more work for those poor souls that have to deploy hardware, but i believe the benefits out-weigh the costs. the benefits i see:1. once a branch location is staticly addressed, we have a working inventory of what is out there.2. a more secure environment. no longer can users bring in non-company owned devices and place them on our production network (which is already a policy---that isn't policed).3. i can setup automated scripts that check MAC addresses to IP addresses on the router ARP tables to check for spoofing.our branch locations don't change very often.....some are still on token ring for god's sake, so i don't really see that much more workload.Has anyone else dropped DHCP as a management/compliance decision? thanks. --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
--------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Re: Down with DHCP!!!!, (continued)
- Re: Down with DHCP!!!! Kenton Smith (Feb 21)
- RE: Down with DHCP!!!! Steve Fletcher (Feb 21)
- Re: Down with DHCP!!!! Bryan S. Sampsel (Feb 21)
- Re: Down with DHCP!!!! alwork (Feb 21)
- Re: Down with DHCP!!!! Gunnar Wolf (Feb 21)
- Re: Down with DHCP!!!! Paul Halliday (Feb 21)
- Re: Down with DHCP!!!! Jason Healy (Feb 21)
- Re: Down with DHCP!!!! Neil (Feb 21)
- Re: Down with DHCP!!!! Andreas Hell (Feb 22)
- Re: Down with DHCP!!!! Gunnar Wolf (Feb 27)
- Re: Down with DHCP!!!! Andreas Hell (Feb 22)
- Re: Down with DHCP!!!! Ruben Vanhoutte (Feb 21)
- Re: Down with DHCP!!!! Manuel Sousa (Feb 21)
- RE: Down with DHCP!!!! Murad Talukdar (Feb 21)
- Re: Down with DHCP!!!! Kurt Reimer (Feb 21)
- RE: Down with DHCP!!!! Andrew Aris (Feb 21)
- Re: Down with DHCP!!!! tandernam (Feb 22)
- Re: Down with DHCP!!!! Chris Barber (Feb 24)
- RE: Down with DHCP!!!! Makousky, Steve C (Feb 21)
- Re: Down with DHCP!!!! robjohn (Feb 21)
- Re: Down with DHCP!!!! Y0 (Feb 21)
- RE: Down with DHCP!!!! Michael J. Benedetto (Feb 21)
(Thread continues...)