Security Basics mailing list archives
Re: Down with DHCP!!!!
From: "Brian Loe" <knobdy () gmail com>
Date: Wed, 22 Feb 2006 19:39:10 -0600
On 2/22/06, gigabit () satx rr com <gigabit () satx rr com> wrote:
1. "You are trying to use DHCP to fix a management problem". Absolutely! I'm trying to bridge the gap between policy and actual implementation. We already have policies, but they are not enforced and do not reflect the actual production environment.
If MANAGEMENT can not or will not enforce policies already in place, how does your project change that? So you've added several layers of difficulty to adding a machine or device to the network by a trusted IT employee, but you've provided no more enforcement than you have now.
Having a centralized method to track every thing that is added to the network then allows for the beginings of security. For the InfoSecurity office to work, it must be made aware of new items added to the network, this is a process that forces anything to go through InfoSecurity right from the start.
This isn't true, but I'll explain where you show why it isn't true below...
2. "What you are proposing is un-manageable, you will be the bottleneck for everyone" Two things. As I have stated in my original post, my enviroment does not change very often (still have tokenring at some locations). Secondly I didn't elaborate on my master plan for implementation. I want to get the Lotus Notes guys to help me build my database so that it is web-enabled. You are a PC tech about to deploy a PC, you go to ip.company.com (internal, secure website). You follow some drop down menus to choose region, location, floor to get the next IP address. You fill out the required information (user, inventory number, OS, virus.....)
So a human, that now UNtrusted IT employee is telling you what he's adding to the network, and based on that he's going to get an IP address...the disconnect there is obvious.
Through the magic of work-flow, your taking of an IP address triggers an email to the security office, who then review and audits what has happened (probably a weekly process).
So a week goes by before anyone even cares what has been added to the network. You've already implied that you don't trust your IT employees, but now you're going to trust them enough to add anything they want to the network - for a week at least. Boy, if I just handed in my two week notice, and this is my last week, and I've already figured out your audit schedule...you're hosed.
The PC tech that is not complying with the information gathering request or is not accurate in the information produced gets some form of remediation.
Or he fat fingured something and has to remember that he fat fingured something a week ago to save his job...
If an IP conflict does happen and my stuff doesn't catch it, it will generate a help desk call which will lead to the identification of the problem and some form of remediation for the user who caused the problem. (Something they were not supposed to be doing due to existing policies).
Duplicate IPs will cause a problem before you find out about it. Besides which, no one mentioned IP conflicts, they were talking about someone simply picking the next available IP. They'll have access as soon as that happens.
4. "What you are doing is worthless, MAC spoofing gets around it" I understand that this does not solve the MAC spoofing problem. Some day I hope to implement 802.1x port based authentication, but that requires hardware that I don't have right now. I do believe that MAC spoofing is a more advanced concept and most users would make the leap that using such tools is in serious violation of our "computing polcies". My plan will allow me to target the people that bring in equipment to by-pass our system security settings and people who allow un-authorized guest connections to our internal LAN.
So who are you protecting yourself from in the first place? Most users don't know enough to cause a problem with your CURRENT policies and lack of enforcement - so THEY are not the ones you're hardening against.
Interestingly, the other person to support my idea is the guy in charge of client PC computing. His department will have to deal with the brunt of the work to make this happen, but he sees the benefit of having a thorough account of what is out there.
That's not intersting, he's the one charged with policy enforcement and he's not doing it. You're selling him something with the marketing spin that it will enforce policies, he's dumb enough to believe it. Typical manager, ain't it? I appreciate your wanting to get "control" of the environment, but that's not really your job - unless your security department is far different than any other I've been involved with (and worked). You are trying to put a square block through the round peg. If policies not being enforced is the problem, then the fix is enforcing the policies. The idea you have isn't wrong, just wrong minded. You have to consider how much you are spending vs. the amount of security you are getting.
From what you have detailed here you're essentially "getting by"
without port security (maybe you need to save up for that technology?) and implementing what is essentially an overwraught inventory system - one that would be better implemented with a real product (several available - Intuit has one even)... if you look hard enough you might even find the company already owns one (Enterprice AV perhaps; MS MOM?)! Lastly, if your switches are so old, how secure can they be? Are they devices with a million known exploits, with no updates - or support - available anymore? If so, put some trust back in your coworkers and spend the money and time on upgrading your network infrastructure. --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Re: Down with DHCP!!!!, (continued)
- Re: Down with DHCP!!!! tagrrr (Feb 21)
- Re: Down with DHCP!!!! tagrrr (Feb 21)
- Re: Down with DHCP!!!! rob . lucchetti (Feb 21)
- Re: Down with DHCP!!!! someone (Feb 21)
- Re: Down with DHCP!!!! a_wirtz (Feb 21)
- RE: Down with DHCP!!!! Steven Johnston (Feb 21)
- Re: Down with DHCP!!!! jalvare7 (Feb 21)
- RE: Down with DHCP!!!! Jasun Tate (Feb 21)
- Re: Down with DHCP!!!! gigabit (Feb 22)
- Re: Down with DHCP!!!! tandernam (Feb 22)
- Re: Down with DHCP!!!! Brian Loe (Feb 22)
- RE: Down with DHCP!!!! Michael J. Benedetto (Feb 23)
- RE: Down with DHCP!!!! Steven Jones (Feb 22)
- RE: Down with DHCP!!!! Bergert, David (Feb 23)
- Re: RE: Down with DHCP!!!! anon (Feb 24)
- Re: Re: RE: Down with DHCP!!!! jctcmb (Feb 25)
- Re: Re: Re: RE: Down with DHCP!!!! me (Feb 27)