Security Basics mailing list archives
Re: Firewalls and PCI
From: "Brian Johnson" <brian.l.johnson () gmail com>
Date: Wed, 16 Jan 2008 10:28:03 -0600
How does a lack of DHCP let you KNOW who is on your network? Absent DHCP all an attacker with zero knowledge of the network configuration needs to do is sniff the ARP and other broadcast traffic to determine the addressing of the network and find themselves an open address or takeover a used address. Now if you have 802.1x or use IPSEC to limit communications that is another story entirely and can still function with DHCP. A number of clients I visit say that lack of DHCP is a security measure. If they push back on my claim it would only slow an attacker down I demonstrate just how easy it is to find an open address, I end up able to talk to their network inside of 5 minutes.
You have a VERY SMART client!! This is an architecture I have been pushing for years: Isolate every individual zone of security with a firewall. Another issue I see consistently ignored: You NEVER have a clue who is on any DHCP network. Therefore, anything running DHCP should be on a physically separate network that is considered only very very slightly more trusted than the Internet. And needless to say, this network must be isolated from the rest of the organization's internal network using a firewall. Also, please note that the same applies to ANYTHING wireless. I have an organization where I have just implemented a multi-location network, and each location's LAN is isolated on the WAN via a firewall (and one or two routers) from the rest of the WAN. Any site with exposed services has an Internet-facing router, a hardware firewall, DMZ servers, a hardware firewall, the LAN, and on LAN: a) a hardware firewall that isolates WAN/LAN servers b) a hardware firewall that isolates the site from the WAN, and the WAN router c) a hardware firewall that isolates a DHCP network. Finally, EVERY host should have a good (e.g., not M$) firewall. I am very please with Sophos' end point security product in this respect. Hope this helps! (And pay attention to your client's good ideas!) Jon Kibler -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA (843) 849-8214 ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
Current thread:
- Firewalls and PCI Josh Haft (Jan 15)
- Re: Firewalls and PCI Jon R. Kibler (Jan 15)
- Re: Firewalls and PCI Brian Johnson (Jan 16)
- Re: Firewalls and PCI Jon R. Kibler (Jan 16)
- RE: Firewalls and PCI Craig Wright (Jan 16)
- RE: Firewalls and PCI Timmothy Lester (Jan 16)
- Re: Firewalls and PCI Brian Johnson (Jan 16)
- Re: Firewalls and PCI Jon R. Kibler (Jan 15)
- Re: Firewalls and PCI David Glosser (Jan 16)
- RE: Firewalls and PCI Jason Alexander (Jan 16)
- <Possible follow-ups>
- Re: Re: Firewalls and PCI evilwon12 (Jan 16)
- Re: Re: Firewalls and PCI Josh Haft (Jan 16)
- Message not available
- Re: Firewalls and PCI Lyle Worthington (Jan 17)
- RE: Re: Firewalls and PCI Honer, Lance (Jan 18)
- Re: Re: Firewalls and PCI Josh Haft (Jan 18)
- Re: Re: Firewalls and PCI Josh Haft (Jan 16)