Re: Down with DHCP!!!!

[Gunnar Wolf <gwolf () gwolf org>]

gigabit () satx rr com dijo [Fri, Feb 17, 2006 at 12:31:08PM -0600]:
> ok, some background...
> (...)
> i would like to propose to management that dhcp should be disabled, so 
> as to force the building of a database that will hold all of the 
> information needed to begin a comprehensive security policy.  the 
> security group would manage the database to ensure that we are 
> collecting information (such as O/S, IOS version, anti-virus 
> compliance...)

By adding a couple of details to your ideas, mi conclusion was exactly
the opposite: Mandate that _everybody_ gets his machine configured by
DHCP makes your network more secure - and, of course, easier to
manage. The key? Maintain a database of known equipment, and hand out
static DHCP addresses to them. 

> (...)
> 2.  a more secure environment.  no longer can users bring in non-
> company owned devices and place them on our production network (which 
> is already a policy---that isn't policed).

I agree, if anybody can come in and get a working IP address,
something is seriously broken in your net setup. However, if
unregistered MACs are assigned an IP in a restricted range. If you
want, you could direct them to what has been branded as a "captive
portal" where the user can register who he is and why does he think
you should authorize him to use the network. 

> 3.  i can setup automated scripts that check MAC addresses to IP 
> addresses on the router ARP tables to check for spoofing.
> (...)
> Has anyone else dropped DHCP as a management/compliance decision?

If you are interested (or anybody else), I can send you the scripts I
made to handle this needs for my network. I am currently only
outputting the DHCP configuration, but I want to add normal and
reverse DNS mappings and firewall settings to prevent usage by
unauthorized MAC<=>IP pairs (adding this will be quite trivial).

I deployed this where I worked several years ago, at a faculty with
2,000 teachers and 12,000 students. The amount of network trouble we
had soon dropped to the ground. I am implementing it in the Institute
I work now, and success has been less spectacular, but because of
political reasons (I haven't been able to set up the firewall
restrictions because the users don't want to be bothered, and I have
to explain what this is to several layers of management).

Greetings,

-- 
Gunnar Wolf - gwolf () gwolf org - (+52-55)5623-0154 / 1451-2244
PGP key 1024D/8BB527AF 2001-10-23
Fingerprint: 0C79 D2D1 2C4E 9CE4 5973  F800 D80E F35A 8BB5 27AF

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------