Security Basics mailing list archives
Re: Down with DHCP!!!!
From: jalvare7 () cajastur es
Date: Tue, 21 Feb 2006 12:52:08 +0100
I see the rationale in what Bryan sayis, but I believe that any kind of information that we can gather is valuable for security control purpouses and I've always found that there's a face on which static network addressing brings in some security, and this is when applying monitoring, IDS, log reviews and SEM. Without a correspondence between the security events and the systems they came from, you are really looking at smoke, i.e. not seeing anything. It all comes down to how much assurance we can get about the correspondence between a system and the IP address it uses, and what's more, the user behind them. Even without a near-perfect solution until 802.1x can be implemented, to link the user identity to the network profile of the desktop, there are still quite many things that can be done to get enough assurance of it to allow for every day monitoring and forensic audit purpouses. I'de recommend 802.1x, but I know first hand that it's implementation on a LAN environment is bogged with difficulties at this point in time, so probably the nearest we can expect to get nowadays are statically assigned DHCP addresses, port security, and close MAC and IP spoofing monitoring through IDS or other tools. In a Ciscoworks environment maybe you could also use User Tracking to feed a database of users together with the systems they are logged on, MACs, VLAN, switch ports, etc. it's not historical and so, it would require something more to take and save periodical snapshots, but it could add to the rest of measures to get a quite reasonable correspondence between systems, IPs and user identities. Regards ------------------------------------ Actually I supported a network of 2000 systems where the site required static IPs. 1) your assumption about security is flawed. People can easily take their assigned desktop IP and either guess a second one (and hope it's not in use) or unplug their assigned system and swap. 2) data integrity is an impossible target. Without data integrity, you've bought yourself nothing. Getting technicians to keep up with data will get lost to expediency of the immediate problem at hand, most often: connectivity. A better solution is to implement a switching infrastructure that can handle mac-based port security. It's not perfect, as MACs can be spoofed by someone knowledgable. However, you have your choices of ports that auto-disable themselves -- which forces the user to contact IT and get into trouble, block traffic only while an unauthorized MAC is on the port, or you can set up a RADIUS server with a database of authorized MAC addresses that allows your users to move equipment (but only that equipment authorized by IT). Static IP addresses are no more secure. It's smoke and mirrors. Just some thoughts after three years of dealing with the issue you're wanting to tackle. Sincerely, Bryan S. Sampsel LibertyActivist.org --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus --------------------------------------------------------------------------- --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Re: Down with DHCP!!!!, (continued)
- Re: Down with DHCP!!!! Brian Loe (Feb 22)
- Re: Down with DHCP!!!! carowe (Feb 21)
- Re: Down with DHCP!!!! securityfocus (Feb 21)
- Re: Down with DHCP!!!! danno (Feb 21)
- Re: Down with DHCP!!!! tagrrr (Feb 21)
- Re: Down with DHCP!!!! tagrrr (Feb 21)
- Re: Down with DHCP!!!! rob . lucchetti (Feb 21)
- Re: Down with DHCP!!!! someone (Feb 21)
- Re: Down with DHCP!!!! a_wirtz (Feb 21)
- RE: Down with DHCP!!!! Steven Johnston (Feb 21)
- Re: Down with DHCP!!!! jalvare7 (Feb 21)
- RE: Down with DHCP!!!! Jasun Tate (Feb 21)
- Re: Down with DHCP!!!! gigabit (Feb 22)
- Re: Down with DHCP!!!! tandernam (Feb 22)
- Re: Down with DHCP!!!! Brian Loe (Feb 22)
- RE: Down with DHCP!!!! Michael J. Benedetto (Feb 23)
- RE: Down with DHCP!!!! Steven Jones (Feb 22)
- RE: Down with DHCP!!!! Bergert, David (Feb 23)
- Re: RE: Down with DHCP!!!! anon (Feb 24)
- Re: Re: RE: Down with DHCP!!!! jctcmb (Feb 25)
- Re: Re: Re: RE: Down with DHCP!!!! me (Feb 27)