Security Basics mailing list archives
RE: Down with DHCP!!!!
From: "Jasun Tate" <jtate () ICWGROUP com>
Date: Tue, 21 Feb 2006 11:08:30 -0800
From a control perspective and management overhead I would have to agree
with the Port Security option if your infrastructure supports that technology. Managing/monitoring the DHCP pools as assignments yourself while holding your NE's or an SA accountable for the Administration would lessen both parties work load. Static assignment to the desktop is going to be kind of overkill in my perspective while STATIC to your servers of course is the way to go. The repository for control you speak of can contain an accurate account of IP reservation while satisfying the Reqs your trying to comply with. -Other management tools as in Asset Tracking software would also help tremendously if you have such tools at your ready. ----Just my 01 cents Jasun Tate CEH,MCSA Sr. Security Administrator Network Operations-ICW Group ~~INVEST IN LOSS~~ Chen Man Ching -----Original Message----- From: Steven Johnston [mailto:sjohnston () eg-consulting com] Sent: Tuesday, February 21, 2006 3:08 AM To: Douglas Dever; gigabit () satx rr com Cc: security-basics () securityfocus com Subject: RE: Down with DHCP!!!! Yes utter madness, why don't you use something like IPSec to secure your network, I attended a Microsoft event recently and they were talking about this. I've included some links for your reference, they might not be exactly what you're looking for but will certainly put you on the right track if you decide to adopt this method. http://www.microsoft.com/technet/security/topics/architectureanddesign/i psec/default.mspx http://www.microsoft.com/technet/itsolutions/network/security/ipsecld.ms px Good Luck Steven -----Original Message----- From: Douglas Dever [mailto:dougdever () gmail com] Sent: 18 February 2006 00:46 To: gigabit () satx rr com Cc: security-basics () securityfocus com Subject: Re: Down with DHCP!!!! Frankly, I think you have an axe to grind against your former co-workers in network engineering, don't know very much about network engineering, or are simply on crack... comments inline... On 2/17/06, gigabit () satx rr com <gigabit () satx rr com> wrote:
ok, some background... i have transfered from network engineering to the information security group for my company, which is mid-sized with about 2000 employees across 90 locations (financial). the lessons learned from being in network engineering is that they are first and foremost concerned with maintaining the production environment. the management processes/procedures are completely disregarded if it is deemed necessary to "get something done".
This is a management and process issue best handled by putting together a comprehensive security policy and having your management chain force the network engineering folks to follow it. Telling NetEng how to do their job won't get you a lot of traction in the real world. Look, if there's an outage and a few rules need to be bent to maintain the production environment, that isn't a bad thing(tm). But if it happens everytime someone doesn't want to follow the appropriate change management procedure, that's a different story.
as i try to build out a security plan for how to deal with servers/routers/end users, i keep coming to the conclusion that it
will
be meaningless unless control can be taken over what the other department is doing (network engineering). the one commonality for
all
devices on the network is that they have an IP address. i would like to propose to management that dhcp should be disabled, so as to force the building of a database that will hold all of the information needed to begin a comprehensive security policy. the security group would manage the database to ensure that we are collecting information (such as O/S, IOS version, anti-virus compliance...)
Why re-invent the wheel? If you're really serious about this, wouldn't it make more sense to transfer control of the DHCP servers to the security team and then configure it how you wish? You could still statically assign specific IP addresses to specific MAC addresses if you wished. (e.g. Doing an audit on a portion of the network that you're cutting over to your DHCP, gather the information you need/want, and then once you have said info, making the appropriate DHCP assignments.) Then, if you have any changes to make you've got one place to make them - as opposed to having someone run from PC to PC. Would it be easier to make the NE's or desktop support staff run around and do this? Probably - but then you're the one who's decided you need to maintain this information yourself, suck it up and do the work.
i realize this will incur more work for those poor souls that have to deploy hardware, but i believe the benefits out-weigh the costs. the benefits i see:
Sure, because you're not the one who is going to have to implement your idea.
1. once a branch location is staticly addressed, we have a working inventory of what is out there. 2. a more secure environment. no longer can users bring in non- company owned devices and place them on our production network (which is already a policy---that isn't policed). 3. i can setup automated scripts that check MAC addresses to IP addresses on the router ARP tables to check for spoofing.
Two thoughts: Port Security. Cisco NAC
our branch locations don't change very often.....some are still on token ring for god's sake, so i don't really see that much more workload.
What are you planning to do for users, management, whatever who have to move between locations and plan to use the network at all of them? Reconfigure their TCP/IP stack each time?
Has anyone else dropped DHCP as a management/compliance decision?
Why not just use a wire-cutter for your IPS solution while you're at it? -doug ------------------------------------------------------------------------ --- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------------------ --- ##################################################################################### Warning: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which it is addressed. If you are not the named addressee any review, dissemination, distribution or duplication of this e-mail is strictly prohibited. If you have received this email in error, please let us know by e-mail and delete it from your system. Please note that any personal views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Thank You. ##################################################################################### --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Re: Down with DHCP!!!!, (continued)
- Re: Down with DHCP!!!! carowe (Feb 21)
- Re: Down with DHCP!!!! securityfocus (Feb 21)
- Re: Down with DHCP!!!! danno (Feb 21)
- Re: Down with DHCP!!!! tagrrr (Feb 21)
- Re: Down with DHCP!!!! tagrrr (Feb 21)
- Re: Down with DHCP!!!! rob . lucchetti (Feb 21)
- Re: Down with DHCP!!!! someone (Feb 21)
- Re: Down with DHCP!!!! a_wirtz (Feb 21)
- RE: Down with DHCP!!!! Steven Johnston (Feb 21)
- Re: Down with DHCP!!!! jalvare7 (Feb 21)
- RE: Down with DHCP!!!! Jasun Tate (Feb 21)
- Re: Down with DHCP!!!! gigabit (Feb 22)
- Re: Down with DHCP!!!! tandernam (Feb 22)
- Re: Down with DHCP!!!! Brian Loe (Feb 22)
- RE: Down with DHCP!!!! Michael J. Benedetto (Feb 23)
- RE: Down with DHCP!!!! Steven Jones (Feb 22)
- RE: Down with DHCP!!!! Bergert, David (Feb 23)
- Re: RE: Down with DHCP!!!! anon (Feb 24)
- Re: Re: RE: Down with DHCP!!!! jctcmb (Feb 25)
- Re: Re: Re: RE: Down with DHCP!!!! me (Feb 27)