Security Basics mailing list archives
Re: Down with DHCP!!!!
From: gigabit () satx rr com
Date: Wed, 22 Feb 2006 09:58:08 -0600
Thanks for all of your responses....most were thoughtful and considered. Here are some issues/concerns addressed by some of you and my responses: (the quotes are for effect, and not totally accurate) 1. "You are trying to use DHCP to fix a management problem". Absolutely! I'm trying to bridge the gap between policy and actual implementation. We already have policies, but they are not enforced and do not reflect the actual production environment. Having a centralized method to track every thing that is added to the network then allows for the beginings of security. For the InfoSecurity office to work, it must be made aware of new items added to the network, this is a process that forces anything to go through InfoSecurity right from the start. 2. "What you are proposing is un-manageable, you will be the bottleneck for everyone" Two things. As I have stated in my original post, my enviroment does not change very often (still have tokenring at some locations). Secondly I didn't elaborate on my master plan for implementation. I want to get the Lotus Notes guys to help me build my database so that it is web-enabled. You are a PC tech about to deploy a PC, you go to ip.company.com (internal, secure website). You follow some drop down menus to choose region, location, floor to get the next IP address. You fill out the required information (user, inventory number, OS, virus.....) Through the magic of work-flow, your taking of an IP address triggers an email to the security office, who then review and audits what has happened (probably a weekly process). The PC tech that is not complying with the information gathering request or is not accurate in the information produced gets some form of remediation. 3. "Someone with basic knowledge will pick the next address, and cause an IP conflict" Once the system is in place, I will have the ability to then track what is happening at the branch locations, to include the presence of a new un-assigned IP address. My plan to do this is using automated scripts that pull information from branch routers that can then look for anomalies. Once the conversion happens at a branch, I establish my baseline mapping MACs to IPs and compare daily/hourly/weekly scripts against that baseline. If an IP conflict does happen and my stuff doesn't catch it, it will generate a help desk call which will lead to the identification of the problem and some form of remediation for the user who caused the problem. (Something they were not supposed to be doing due to existing policies). 4. "What you are doing is worthless, MAC spoofing gets around it" I understand that this does not solve the MAC spoofing problem. Some day I hope to implement 802.1x port based authentication, but that requires hardware that I don't have right now. I do believe that MAC spoofing is a more advanced concept and most users would make the leap that using such tools is in serious violation of our "computing polcies". My plan will allow me to target the people that bring in equipment to by-pass our system security settings and people who allow un-authorized guest connections to our internal LAN. 5. "Your gonna screw yourself if you have to make DNS/Gateway changes manually" I have difficulty seeing how this is a problem for two reasons. First we have redundant DNS servers, and if one dies the IP will remain while the server gets rebuilt. Secondly, once we have accounted for all the PCs at a branch, we can proceed with installing our remote management agent which will allow us to change whatever has to change remotely. We also have the ability to alter system settings via login scripts if needed. Interestingly, the other person to support my idea is the guy in charge of client PC computing. His department will have to deal with the brunt of the work to make this happen, but he sees the benefit of having a thorough account of what is out there. I think I have to stress that what I am proposing is more a way to force the intergration of the InfoSecurity office to the Network Engineering and Client support offices. The seperation of powers of these offices makes sense, but truth be told the security office is the only one that has mapped out procedures and actually has the consistency checks in place to be accountable. However much work has to happen initially, I really think this process will make a difference in our overall security/management plan. thanks again for all your responses. --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Re: Down with DHCP!!!!, (continued)
- Re: Down with DHCP!!!! securityfocus (Feb 21)
- Re: Down with DHCP!!!! danno (Feb 21)
- Re: Down with DHCP!!!! tagrrr (Feb 21)
- Re: Down with DHCP!!!! tagrrr (Feb 21)
- Re: Down with DHCP!!!! rob . lucchetti (Feb 21)
- Re: Down with DHCP!!!! someone (Feb 21)
- Re: Down with DHCP!!!! a_wirtz (Feb 21)
- RE: Down with DHCP!!!! Steven Johnston (Feb 21)
- Re: Down with DHCP!!!! jalvare7 (Feb 21)
- RE: Down with DHCP!!!! Jasun Tate (Feb 21)
- Re: Down with DHCP!!!! gigabit (Feb 22)
- Re: Down with DHCP!!!! tandernam (Feb 22)
- Re: Down with DHCP!!!! Brian Loe (Feb 22)
- RE: Down with DHCP!!!! Michael J. Benedetto (Feb 23)
- RE: Down with DHCP!!!! Steven Jones (Feb 22)
- RE: Down with DHCP!!!! Bergert, David (Feb 23)
- Re: RE: Down with DHCP!!!! anon (Feb 24)
- Re: Re: RE: Down with DHCP!!!! jctcmb (Feb 25)
- Re: Re: Re: RE: Down with DHCP!!!! me (Feb 27)