Firewall Wizards mailing list archives
Re: Using DHCP (was RE: IP Spoofing)
From: Bill_Royds () pch gc ca
Date: Sun, 3 Oct 1999 11:01:47 -0400
What I have found is that there are several kinds of hosts on an IP netwrok. Those that are dedicated to certain tasks like servers, routers, system control clients etc. need a static address and can be documented as to services running on them, accounts allowed on them etc. Others are often desktop machines, laptops, test machines etc. that may change configuration often, are under control of naive users. Here is where DHCP allows better control than static addresses. In a large organization, requiring static IP address assignment means delegating the task to branch and regional IT support who often do not keep accurate records. Determining authorization by IP becomes meaningless. Static IP's complicates firewalls because rules allowing services become stale, and responsibility for access control to systems becomes a bureaucratic nightmare. Having an authorizing DHCP server that can give the firewall lists of IP's that have validated themselves for a service means that the list is only as old as the DHCP lease. "Anton J Aylward" <anton () the-wire com> on 99/10/02 09:54:34 Please respond to "Anton J Aylward" <anton () the-wire com> To: firewall-wizards () lists nfr net cc: (bcc: Bill Royds/HullOttawa/PCH/CA) Subject: Using DHCP (was RE: IP Spoofing) Neither DNS not DHCP is a cure for spoofing, and can themselves be spoofed as well ;-( But they are key tools and properly configured can support the evidence of logs in tracing problems and intrusions. Some sites want accountability, that is a deterministic identification of an IP address with a host. This can be strength or weakness, in my opinion, and I've always favoured it when possible. But I'd like to know what other think. DHCP has improved, in that it can now integrate with DNS, which was always my greatest complaint about it. Like DNS it can be strapped down, binding MAC addresses to IP addresses. Of course relayers confuse this somewhat. (Just as proxy ARP on some firewalls can)
From a security standpoint there are a lot of tradeoffs to be made here,
which of course interact with hardware (e.g. switching hubs) and network layout. I'd like to know what other people have found effective and what problems there may be. Can those in the know guide the rest of us away from the jagged rocks of this kind of implementation? Anton Aylward System Integrity aja () si on ca
Current thread:
- Re: Using DHCP (was RE: IP Spoofing) Bill_Royds (Oct 05)
- Re: Using DHCP (was RE: IP Spoofing) Dave Gillett (Oct 06)
- <Possible follow-ups>
- Re: Using DHCP (was RE: IP Spoofing) Bill_Royds (Oct 12)
- RE: Using DHCP (was RE: IP Spoofing) Bill_Royds (Oct 13)
- RE: Using DHCP (was RE: IP Spoofing) Safier, Adam (GEIS) (Oct 13)
- RE: Using DHCP (was RE: IP Spoofing) Anton J Aylward (Oct 16)
- RE: Using DHCP (was RE: IP Spoofing) Safier, Adam (GEIS) (Oct 13)
- RE: Using DHCP (was RE: IP Spoofing) Bill_Royds (Oct 13)
- RE: Using DHCP (was RE: IP Spoofing) Bill_Royds (Oct 16)
- RE: Using DHCP (was RE: IP Spoofing) Safier, Adam (GEIS) (Oct 18)
- RE: Using DHCP (was RE: IP Spoofing) Carl Brewer (Oct 18)