Firewall Wizards mailing list archives
RE: firewall-wizards digest, Vol 1 #884 - 1 msg
From: Julian HO Thean Swee <jho () starhub com>
Date: Tue, 25 Feb 2003 09:11:47 +0800
public side. Some security consultants highly recommended staticaddressingacross the board for security and control reasons - i.e.. access-list control and the potential for compromise of the DHCP database. I have searched google etc and found a few articles and whitepapers. We have historically configured static IPs on servers, routers, switchesandall outside-facing devices. We do have several multi-homed devices with static, public IP and a second interface facing inside (these are being migrated to DMZ where multi-homing will no longer be necessary.) However this does get to be a pain when making across-the-board changes. Documentation is a bear as well since we are a small company with little resources available to keep detailed network drawings up-to-date. Lately we are leaning towards regular lease-based DHCP for workstationsandreserved DHCP addresses on servers on the private side. This will, of course, make life much easier when making widespread changes oradditionssuch as adding secondary DNS. I have been wavering back and forth. Is there any experience with compromised DHCP databases in MSenvironments?Any strong opinions or reasoning pro or con the use of DHCP? Any recommendations for shoring up the service and it's traffic? Much Appreciated In Advance Chuck
You have to balance convenience with the probability of compromise. This has always been the trick in security, irrespective of which facet (firewalls, IDS, VPNs, policies, etc etc). Basically, assuming you do not deploy WLANs which are hooked up to your wired network, how easy is it for someone to obtain access to your premises and physically jack-in to a port? If you have a fair bit of physical security, DHCP should not be a major issue. I presume you have some kind of authentication (logon) process being handled by a PDC on the backend for your user accounts...? Even if you put static IPs, all an intruder had to do would be to jack-in in some secluded corner, place his laptops NIC in promiscuous mode, start capturing traffic with ethereal or some equivalent packet sniffer and see what your addressing scheme was. Even if you had limited the range of IPs accessing to your network, the intruder could even assume the identity of a valid user by doing an arp poison against the desired IP, forcing the host to reboot, then while the host was rebooting, setting their IP to the hosts' IP and presto, he's inside. Saying "is DHCP a security risk?" by itself is not enough - you have to look at it, as with all other security questions, in light of the big picture..... Hope this helps, j.
From 27 November 2002, all StarHub corporate email addresses have been
changed to xxx () starhub com This email is confidential and privileged. If you are not the intended recipient, you must not view, disseminate, use or copy this email. Kindly notify the sender immediately, and delete this email from your system. Thank you. Please visit our website at www.starhub.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: firewall-wizards digest, Vol 1 #884 - 1 msg Julian HO Thean Swee (Feb 25)