Re: Down with DHCP!!!!

["Brian Loe" <knobdy () gmail com>]

On 2/22/06, gigabit () satx rr com <gigabit () satx rr com> wrote:

> 1.  "You are trying to use DHCP to fix a management problem".
>
> Absolutely!  I'm trying to bridge the gap between policy and actual
> implementation.  We already have policies, but they are not enforced
> and do not reflect the actual production environment.

If MANAGEMENT can not or will not enforce policies already in place,
how does your project change that? So you've added several layers of
difficulty to adding a machine or device to the network by a trusted
IT employee, but you've provided no more enforcement than you have
now.

> Having a centralized method to track every thing that is added to the network
> then allows for the beginings of security.  For the InfoSecurity office
> to work, it must be made aware of new items added to the network, this
> is a process that forces anything to go through InfoSecurity right from
> the start.

This isn't true, but I'll explain where you show why it isn't true below...


> 2.  "What you are proposing is un-manageable, you will be the
> bottleneck for everyone"
> Two things.  As I have stated in my original post, my enviroment does
> not change very often (still have tokenring at some locations).
> Secondly I didn't elaborate on my master plan for implementation.
> I want to get the Lotus Notes guys to help me build my database so that
> it is web-enabled.  You are a PC tech about to deploy a PC, you go to
> ip.company.com (internal, secure website).  You follow some drop down
> menus to choose region, location, floor to get the next IP address.
> You fill out the required information (user, inventory number, OS,
> virus.....)

So a human, that now UNtrusted IT employee is telling you what he's
adding to the network, and based on that he's going to get an IP
address...the disconnect there is obvious.

> Through the magic of work-flow, your taking of an IP
> address triggers an email to the security office, who then review and
> audits what has happened (probably a weekly process).

So a week goes by before anyone even cares what has been added to the
network. You've already implied that you don't trust your IT
employees, but now you're going to trust them enough to add anything
they want to the network - for a week at least. Boy, if I just handed
in my two week notice, and this is my last week, and I've already
figured out your audit schedule...you're hosed.


> The PC tech that
> is not complying with the information gathering request or is not
> accurate in the information produced gets some form of remediation.

Or he fat fingured something and has to remember that he fat fingured
something a week ago to save his job...

>  If an IP conflict does happen and my stuff
> doesn't catch it, it will generate a help desk call which will lead to
> the identification of the problem and some form of remediation for the
> user who caused the problem.  (Something they were not supposed to be
> doing due to existing policies).

Duplicate IPs will cause a problem before you find out about it.
Besides which, no one mentioned IP conflicts, they were talking about
someone simply picking the next available IP. They'll have access as
soon as that happens.


> 4.  "What you are doing is worthless, MAC spoofing gets around it"
>
> I understand that this does not solve the MAC spoofing problem.  Some
> day I hope to implement 802.1x port based authentication, but that
> requires hardware that I don't have right now.  I do believe that MAC
> spoofing is a more advanced concept and most users would make the leap
> that using such tools is in serious violation of our "computing
> polcies".  My plan will allow me to target the people that bring in
> equipment to by-pass our system security settings and people who allow
> un-authorized guest connections to our internal LAN.

So who are you protecting yourself from in the first place? Most users
don't know enough to cause a problem with your CURRENT policies and
lack of enforcement - so THEY are not the ones you're hardening
against.

> Interestingly, the other person to support my idea is the guy
> in charge of client PC computing.  His department will have to deal
> with the brunt of the work to make this happen, but he sees the benefit
> of having a thorough account of what is out there.

That's not intersting, he's the one charged with policy enforcement
and he's not doing it. You're selling him something with the marketing
spin that it will enforce policies, he's dumb enough to believe it.
Typical manager, ain't it?

I appreciate your wanting to get "control" of the environment, but
that's not really your job - unless your security department is far
different than any other I've been involved with (and worked). You are
trying to put a square block through the round peg. If policies not
being enforced is the problem, then the fix is enforcing the policies.
The idea you have isn't wrong, just wrong minded. You have to consider
how much you are spending vs. the amount of security you are getting.
> From what you have detailed here you're essentially "getting by"
without port security (maybe you need to save up for that technology?)
and implementing what is essentially an overwraught inventory system -
one that would be better implemented with a real product (several
available - Intuit has one even)... if you look hard enough you might
even find the company already owns one (Enterprice AV perhaps; MS
MOM?)!

Lastly, if your switches are so old, how secure can they be? Are they
devices with a million known exploits, with no updates - or support -
available anymore? If so, put some trust back in your coworkers and
spend the money and time on upgrading your network infrastructure.

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------