Firewall Wizards mailing list archives

Re: Using DHCP (was RE: IP Spoofing)

From: Bill_Royds () pch gc ca
Date: Sun, 3 Oct 1999 11:01:47 -0400

What I have found is that there are several kinds of hosts on an IP netwrok.
Those that are dedicated to certain tasks like servers, routers, system control
clients etc. need a static address and can be documented as to services running
on them, accounts allowed on them etc. Others are often desktop machines,
laptops, test machines etc. that may change configuration often, are under
control of naive users. Here is where DHCP allows better control than static
addresses. In a large organization, requiring static IP address assignment means
delegating the task to branch and regional IT support who often do not keep
accurate records. Determining authorization by IP becomes meaningless.
   Static IP's complicates firewalls because rules allowing services become
stale, and responsibility for access control to systems becomes a bureaucratic
nightmare. Having an authorizing DHCP server that can give the firewall lists of
IP's that have validated themselves for a service means that the list is only as
old as the DHCP lease.





"Anton J Aylward" <anton () the-wire com> on 99/10/02 09:54:34

Please respond to "Anton J Aylward" <anton () the-wire com>

To:   firewall-wizards () lists nfr net
cc:    (bcc: Bill Royds/HullOttawa/PCH/CA)
Subject:  Using DHCP (was RE: IP Spoofing)



Neither DNS not DHCP is a cure for spoofing, and can themselves be
spoofed as well ;-(  But they are key tools and properly configured can
support the evidence of logs in tracing problems and intrusions.

Some sites want accountability, that is a deterministic identification of
an IP address with a host.  This can be strength or weakness, in my
opinion, and I've always favoured it when possible.  But I'd like to know
what other think.

DHCP has improved, in that it can now integrate with DNS, which was always
my greatest complaint about it.  Like DNS it can be strapped down, binding
MAC addresses to IP addresses.  Of course relayers confuse this somewhat.
(Just as proxy ARP on some firewalls can)

From a security standpoint there are a lot of tradeoffs to be made here,

which of course interact with hardware (e.g. switching hubs) and network
layout.  I'd like to know what other people have found effective and what
problems there may be.  Can those in the know guide the rest of us away
from the jagged rocks of this kind of implementation?

Anton Aylward
System Integrity
aja () si on ca

Current thread:

Re: Using DHCP (was RE: IP Spoofing) Bill_Royds (Oct 05)
- Re: Using DHCP (was RE: IP Spoofing) Dave Gillett (Oct 06)
- <Possible follow-ups>
- Re: Using DHCP (was RE: IP Spoofing) Bill_Royds (Oct 12)
- RE: Using DHCP (was RE: IP Spoofing) Bill_Royds (Oct 13)
- RE: Using DHCP (was RE: IP Spoofing) Safier, Adam (GEIS) (Oct 13)
  - RE: Using DHCP (was RE: IP Spoofing) Anton J Aylward (Oct 16)
- RE: Using DHCP (was RE: IP Spoofing) Safier, Adam (GEIS) (Oct 13)
- RE: Using DHCP (was RE: IP Spoofing) Bill_Royds (Oct 13)
- RE: Using DHCP (was RE: IP Spoofing) Bill_Royds (Oct 16)
- RE: Using DHCP (was RE: IP Spoofing) Safier, Adam (GEIS) (Oct 18)
- RE: Using DHCP (was RE: IP Spoofing) Carl Brewer (Oct 18)