Security Basics mailing list archives
RE: Firewalls and PCI
From: "Timmothy Lester" <Timmothy.Lester () primeadvisors com>
Date: Wed, 16 Jan 2008 11:20:10 -0800
This is short, but why not just use DHCP reservations? It won't protect against all MITM attacks, but at least you have associated the IP wit that MAC address. Sure a rogue DHCP server could start handing out IPs like candy, but if your company gets big enough, static entry is "gonna be a bi+ch". I would implement other security features to protect your network. Being afraid of DHCP isn't going to help you in the long run. Sorry if I'm wasting your time reading this. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Jon R. Kibler Sent: Wednesday, January 16, 2008 1:31 PM To: Brian Johnson Cc: security-basics () securityfocus com Subject: Re: Firewalls and PCI Brian Johnson wrote:
How does a lack of DHCP let you KNOW who is on your network? Absent DHCP all an attacker with zero knowledge of the network configuration needs to do is sniff the ARP and other broadcast traffic to determine the addressing of the network and find themselves an open address or takeover a used address. Now if you have 802.1x or use IPSEC to limit communications that is another story entirely and can still function with DHCP. A number of clients I visit say that lack of DHCP is a security measure. If they push back on my claim it would only slow an attacker down I demonstrate just how easy it is to find an open address, I end up able to talk to their network inside of 5 minutes.
I agree completely that a lack of DHCP does not mean security. However, anything DHCP I automatically presume is untrustworthy. With static IPs, I lock down switches, associating a MAC with a port or use 802.1x. Since you mentioned it, a comment about IPSec: You not believe the number of sites that think they have IPSec enabled, but don't really. They take the average windows defaults in IPSec setup (no AH, no ESP) and think they now have IPSec security. Like everything else, unless configured correctly, and TESTED, IPSec is not going to provide any additional security. When a site enables IPSec, you would think they would at least sniff the network to see if the traffic is REALLY encrypted, but I have yet to see any site have actually tested their IPSec configuration. Jon -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA (843) 849-8214 ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
Current thread:
- Firewalls and PCI Josh Haft (Jan 15)
- Re: Firewalls and PCI Jon R. Kibler (Jan 15)
- Re: Firewalls and PCI Brian Johnson (Jan 16)
- Re: Firewalls and PCI Jon R. Kibler (Jan 16)
- RE: Firewalls and PCI Craig Wright (Jan 16)
- RE: Firewalls and PCI Timmothy Lester (Jan 16)
- Re: Firewalls and PCI Brian Johnson (Jan 16)
- Re: Firewalls and PCI Jon R. Kibler (Jan 15)
- Re: Firewalls and PCI David Glosser (Jan 16)
- RE: Firewalls and PCI Jason Alexander (Jan 16)
- <Possible follow-ups>
- Re: Re: Firewalls and PCI evilwon12 (Jan 16)
- Re: Re: Firewalls and PCI Josh Haft (Jan 16)
- Message not available
- Re: Firewalls and PCI Lyle Worthington (Jan 17)
- RE: Re: Firewalls and PCI Honer, Lance (Jan 18)
- Re: Re: Firewalls and PCI Josh Haft (Jan 18)
- RE: Re: Firewalls and PCI Scott Williamson (Jan 18)
- RE: Re: Firewalls and PCI Honer, Lance (Jan 18)
- Re: Re: Firewalls and PCI Josh Haft (Jan 18)
- Re: Re: Firewalls and PCI Josh Haft (Jan 16)