Security Basics mailing list archives
Re: Down with DHCP!!!!
From: Gunnar Wolf <gwolf () gwolf org>
Date: Sat, 18 Feb 2006 13:00:11 -0600
gigabit () satx rr com dijo [Fri, Feb 17, 2006 at 12:31:08PM -0600]:
ok, some background... (...) i would like to propose to management that dhcp should be disabled, so as to force the building of a database that will hold all of the information needed to begin a comprehensive security policy. the security group would manage the database to ensure that we are collecting information (such as O/S, IOS version, anti-virus compliance...)
By adding a couple of details to your ideas, mi conclusion was exactly the opposite: Mandate that _everybody_ gets his machine configured by DHCP makes your network more secure - and, of course, easier to manage. The key? Maintain a database of known equipment, and hand out static DHCP addresses to them.
(...) 2. a more secure environment. no longer can users bring in non- company owned devices and place them on our production network (which is already a policy---that isn't policed).
I agree, if anybody can come in and get a working IP address, something is seriously broken in your net setup. However, if unregistered MACs are assigned an IP in a restricted range. If you want, you could direct them to what has been branded as a "captive portal" where the user can register who he is and why does he think you should authorize him to use the network.
3. i can setup automated scripts that check MAC addresses to IP addresses on the router ARP tables to check for spoofing. (...) Has anyone else dropped DHCP as a management/compliance decision?
If you are interested (or anybody else), I can send you the scripts I made to handle this needs for my network. I am currently only outputting the DHCP configuration, but I want to add normal and reverse DNS mappings and firewall settings to prevent usage by unauthorized MAC<=>IP pairs (adding this will be quite trivial). I deployed this where I worked several years ago, at a faculty with 2,000 teachers and 12,000 students. The amount of network trouble we had soon dropped to the ground. I am implementing it in the Institute I work now, and success has been less spectacular, but because of political reasons (I haven't been able to set up the firewall restrictions because the users don't want to be bothered, and I have to explain what this is to several layers of management). Greetings, -- Gunnar Wolf - gwolf () gwolf org - (+52-55)5623-0154 / 1451-2244 PGP key 1024D/8BB527AF 2001-10-23 Fingerprint: 0C79 D2D1 2C4E 9CE4 5973 F800 D80E F35A 8BB5 27AF --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Down with DHCP!!!! gigabit (Feb 17)
- Re: Down with DHCP!!!! Douglas Dever (Feb 21)
- Re: Down with DHCP!!!! Kenton Smith (Feb 21)
- RE: Down with DHCP!!!! Steve Fletcher (Feb 21)
- Re: Down with DHCP!!!! Bryan S. Sampsel (Feb 21)
- Re: Down with DHCP!!!! alwork (Feb 21)
- Re: Down with DHCP!!!! Gunnar Wolf (Feb 21)
- Re: Down with DHCP!!!! Paul Halliday (Feb 21)
- Re: Down with DHCP!!!! Jason Healy (Feb 21)
- Re: Down with DHCP!!!! Neil (Feb 21)
- Re: Down with DHCP!!!! Andreas Hell (Feb 22)
- Re: Down with DHCP!!!! Gunnar Wolf (Feb 27)
- Re: Down with DHCP!!!! Andreas Hell (Feb 22)
- Re: Down with DHCP!!!! Ruben Vanhoutte (Feb 21)
- Re: Down with DHCP!!!! Manuel Sousa (Feb 21)
- RE: Down with DHCP!!!! Murad Talukdar (Feb 21)
- Re: Down with DHCP!!!! Kurt Reimer (Feb 21)
- RE: Down with DHCP!!!! Andrew Aris (Feb 21)
(Thread continues...)