Re: Down with DHCP!!!!

[Kenton Smith <listsks () yahoo ca>]

I say bad idea. There are other ways (I think) to
solve the issue without creating friction with other
groups. As soon as you go and mandate something that
is going to add work for other people you're going to
become an enemy and they're going to try to bypass you
at every opportunity. With that many users I think
going to staic IP's would be a management nightmare
(speaking as someone who managed a static IP network
of 225 users).

Why don't you use MAC addresses for your inventory? Or
use DNS? You've got the MAC address to check to make
sure that the machine is who it says it is. Use the
name to hav a more friendly way of inventorying.

As for preventing someone from putting a machine on
the network, what's to stop them from giving their
machine a static IP on your network? If you use MAC
addresses there are a multitude of tools available to
prevent users from adding machines to the network.

Security is always a compromise; if you don't
compromise in certain places you're going to spend
more of your time policing the people who are trying
to get around your less important security measures
and less time actually keeping the really important
stuff secure.

Kenton

--- gigabit () satx rr com wrote:

> ok, some background...
>
> i have transfered from network engineering to the
> information security 
> group for my company, which is mid-sized with about
> 2000 employees 
> across 90 locations (financial).
>
> the lessons learned from being in network
> engineering is that they are 
> first and foremost concerned with maintaining the
> production 
> environment.  the management processes/procedures
> are completely 
> disregarded if it is deemed necessary to "get
> something done".
>
> as i try to build out a security plan for how to
> deal with 
> servers/routers/end users, i keep coming to the
> conclusion that it will 
> be meaningless unless control can be taken over what
> the other 
> department is doing (network engineering).  the one
> commonality for all 
> devices on the network is that they have an IP
> address.
>
> i would like to propose to management that dhcp
> should be disabled, so 
> as to force the building of a database that will
> hold all of the 
> information needed to begin a comprehensive security
> policy.  the 
> security group would manage the database to ensure
> that we are 
> collecting information (such as O/S, IOS version,
> anti-virus 
> compliance...)
>
> i realize this will incur more work for those poor
> souls that have to 
> deploy hardware, but i believe the benefits
> out-weigh the costs.  the 
> benefits i see:
>
> 1.  once a branch location is staticly addressed, we
> have a working 
> inventory of what is out there.
>
> 2.  a more secure environment.  no longer can users
> bring in non-
> company owned devices and place them on our
> production network (which 
> is already a policy---that isn't policed).
>
> 3.  i can setup automated scripts that check MAC
> addresses to IP 
> addresses on the router ARP tables to check for
> spoofing.
>
> our branch locations don't change very
> often.....some are still on 
> token ring for god's sake, so i don't really see
> that much more 
> workload.
>
> Has anyone else dropped DHCP as a
> management/compliance decision?
>
> thanks.
---------------------------------------------------------------------------
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE -
> ONLINE
> The Norwich University program offers unparalleled
> Infosec management 
> education and the case study affords you unmatched
> consulting experience. 
> Tailor your education to your own professional goals
> with degree 
> customizations including Emergency Management,
> Business Continuity Planning, 
> Computer Emergency Response Teams, and Digital
> Investigations. 
>
> http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
>



        

        
                
__________________________________________________________ 
Find your next car at http://autos.yahoo.ca

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------