Firewall Wizards mailing list archives
Re: DHCP in a corporate MS environment - Security Risk?
From: Luca Berra <bluca () comedia it>
Date: Wed, 22 Jan 2003 10:17:28 +0100
On Mon, Jan 20, 2003 at 11:06:10PM -0500, Eye Am wrote:
Our corporate network is reasonably well set up with private and public DNS, no wireless IP connections and blocking all RFC1918 traffic in or out of the public side. Some security consultants highly recommended static addressing across the board for security and control reasons - i.e.. access-list control and the potential for compromise of the DHCP database. I have searched google etc and found a few articles and whitepapers.
well really dhcp is a double edged sword, it does have it's advantages basically you don't need to configure or reconfigure each workstation, and you can pass parameters to workstations (try changing dns server in a completely static network) but is also a very weak system - i have seen a big corporate network stranded for many hours when an idiot forgot to switch off the dhcp server on its test machine before connecting it on the corporate network. - dhcp failover protocol is still young - configuring reservations with a well known point-and-click interface is a pita. - database can get corrupted which is bad if you have to recreate complex configurations (i.e. tons of reservations) so backup often. luckyly modern dhcp servers try to ping an ip address before assigning it to a client, thus lowering the chance for duplicate addresses, unluckyly for you there are broken clients out there (win 9x) that don't send DHCPREQUEST packets to confirm their lease is still valid, and just use the previously assigned values thus higering those chances. Anyway i believe that with growing networks the ease of configuration and reduced workload for the support division pays back for the weakness. I would not anyway use dhcp reservation for server machines, i really prefer those (which should be a small number compared to workstations) to be immune from the above mentioned dhcp weakness. I also don't like (from a security standpoint) the use of ip-based authentication, let alone the use of dhcp reservation for the aforementioned purpose. password/certificate based authentication including lock-and-key system to support non proxy-aware apps have existed for a long time. And the insecurity of ip address for authentication has been proved eons ago. Regards, L. -- Luca Berra -- bluca () comedia it Communication Media & Services S.r.l. /"\ \ / ASCII RIBBON CAMPAIGN X AGAINST HTML MAIL / \ _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- DHCP in a corporate MS environment - Security Risk? Eye Am (Jan 21)
- Re: DHCP in a corporate MS environment - Security Risk? David Lang (Jan 21)
- Re: DHCP in a corporate MS environment - Security Risk? yossarian (Jan 22)
- Re: DHCP in a corporate MS environment - Security Risk? Bill Royds (Jan 22)
- Re: DHCP in a corporate MS environment - Security Risk? Ben Nagy (Jan 22)
- Re: DHCP in a corporate MS environment - Security Risk? Luca Berra (Jan 24)
- Re: DHCP in a corporate MS environment - Security Risk? Luca Berra (Jan 28)
- Re: DHCP in a corporate MS environment - Security Risk? Ben Nagy (Jan 29)
- Re: DHCP in a corporate MS environment - Security Risk? Luca Berra (Jan 24)
- Re: DHCP in a corporate MS environment - Security Risk? Luca Berra (Jan 22)
- <Possible follow-ups>
- RE: DHCP in a corporate MS environment - Security Risk? Noonan, Wesley (Jan 21)
- RE: DHCP in a corporate MS environment - Security Risk? Paul D. Robertson (Jan 22)
- RE: DHCP in a corporate MS environment - Security Risk? David Lang (Jan 22)
- RE: DHCP in a corporate MS environment - Security Risk? Paul Robertson (Jan 22)
- RE: DHCP in a corporate MS environment - Security Risk? Paul D. Robertson (Jan 22)
- Re: DHCP in a corporate MS environment - Security Risk? Ben Nagy (Jan 23)
- Re: DHCP in a corporate MS environment - Security Risk? Gary Flynn (Jan 24)
- Re: DHCP in a corporate MS environment - Security Risk? Ben Nagy (Jan 24)
- RE: DHCP in a corporate MS environment - Security Risk? David Lang (Jan 22)