Re: Down with DHCP!!!!

[Jason Healy <jhealy () logn net>]

On Feb 17, 2006, at 1:31 PM, gigabit () satx rr com wrote:
> i would like to propose to management that dhcp should be disabled, so
> as to force the building of a database that will hold all of the
> information needed to begin a comprehensive security policy.

You're describing features that are good to have on a network, but  
they don't really have anything to do with DHCP.  DHCP is there to  
make your (the network admin's) life easier; turning it off will just  
make more work for you, without any real added security.


> the security group would manage the database to ensure that we are
> collecting information (such as O/S, IOS version, anti-virus
> compliance...)

If you're looking for compliance, you might be better off with a  
device that involves a scanning agent.  I know there are a few open  
source products gearing up for this (PacketFence, Ungoliant, etc) and  
also existing commercial options from Cisco, Bradford (Campus  
Manager) and others.  The latter products require an agent scan of a  
machine before it is allowed onto the network.  The scan data can be  
entered into a database, helping with basic compliance and asset  
tracking.


> 1.  once a branch location is staticly addressed, we have a working
> inventory of what is out there.

OK, but this has nothing to do with DHCP.  In fact, you could easily  
enter MAC addresses into your inventory database, and dump that out  
into your DHCP server, so that it hands out long-lived IP addresses  
to known clients.


> 2.  a more secure environment.  no longer can users bring in non-
> company owned devices and place them on our production network (which
> is already a policy---that isn't policed).

Um... can't they just manually configure their machine with an  
address that's on the subnet?  While it won't be as simple as just  
plugging the device in and acquiring an address, it's not really  
going to stop anyone who wants to get on the network.

If non-auto-configuration is good enough for you, just set your DHCP  
server to disallow "unknown" clients, and they'll be just as locked  
out as they would be with pure manual assignment.  As an added bonus,  
your DHCP server will log the failed attempts with their MAC address,  
so you can hunt down offenders.


> 3.  i can setup automated scripts that check MAC addresses to IP
> addresses on the router ARP tables to check for spoofing.

That addresses the security issue somewhat, but has nothing to do  
with DHCP.  You could use this system with DHCP addresses as well  
(and, in fact, DHCP helps you with this, since it hands out addresses  
based on MAC address).  Of course, there's always MAC spoofing...  =)

You're right to want security on your network, but DHCP is not the  
evil you need to eliminate.  If you're serious about preventing  
unauthorized access, you need to look at how to detect and/or prevent  
unauthorized access at the MAC level, and enforce policy there.  DHCP  
is just a tool to help you from having to configure things by hand.

Jason

--
Jason Healy    |    jhealy () logn net    |   http://www.logn.net/


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------