Re: Down with DHCP!!!!

[jalvare7 () cajastur es]

I see the rationale in what Bryan sayis, but I believe that any kind of 
information that we can gather is 
valuable for security control purpouses and I've always found that there's 
a face on which static
network addressing brings in some security, and this is when applying 
monitoring, IDS, log
reviews and SEM. Without a correspondence between the security events and 
the systems 
they came from, you are really looking at smoke, i.e. not seeing anything. 
It all comes down to
how much assurance we can get about the correspondence between a system 
and the
IP address it uses, and what's more, the user behind them. Even without a 
near-perfect solution until 
802.1x can be implemented, to link the user identity to the network 
profile of the desktop, there are still 
quite many things that can be done to get enough assurance of it to allow 
for every day monitoring and 
forensic audit purpouses.

I'de recommend 802.1x, but I know first hand that it's implementation on a 
LAN environment
is bogged with difficulties at this point in time, so probably the nearest 
we can expect to get nowadays are 
statically assigned DHCP addresses, port security, and close MAC and IP 
spoofing monitoring through
IDS or other tools. In a Ciscoworks environment maybe you could also use 
User Tracking to feed
a database of users together with the systems they are logged on, MACs, 
VLAN, switch ports, etc. it's
not historical and so, it would require something more to take and save 
periodical snapshots, but it
could add to the rest of measures to get a quite reasonable correspondence 
between systems, IPs and
user identities.

Regards

------------------------------------


Actually I supported a network of 2000 systems where the site required
static IPs.

1) your assumption about security is flawed.  People can easily take their
assigned desktop IP and either guess a second one (and hope it's not in
use) or unplug their assigned system and swap.

2) data integrity is an impossible target.  Without data integrity, you've
bought yourself nothing.  Getting technicians to keep up with data will
get lost to expediency of the immediate problem at hand, most often:
connectivity.

A better solution is to implement a switching infrastructure that can
handle mac-based port security.  It's not perfect, as MACs can be spoofed
by someone knowledgable.  However, you have your choices of ports that
auto-disable themselves -- which forces the user to contact IT and get
into trouble, block traffic only while an unauthorized MAC is on the port,
or you can set up a RADIUS server with a database of authorized MAC
addresses that allows your users to move equipment (but only that
equipment authorized by IT).

Static IP addresses are no more secure.  It's smoke and mirrors.

Just some thoughts after three years of dealing with the issue you're
wanting to tackle.

Sincerely,

Bryan S. Sampsel
LibertyActivist.org




---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity 
Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------





---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------