Re: DHCP in a corporate MS environment - Security Risk?

[David Lang <david.lang () digitalinsight com>]

Advantages of static IP assignment:
easier tracking of what's going on. this includes intrusion detection
logs, firewalls, etc.

Advantages of DHCP:
easier changes of network parameters.
The ability to take a machine from network to network and plug it in and
'just work'

the problem is that the 'traditional' implementation of DHCP is with
dynamic addresses which eliminate the advantages of them being static.
however you can use DHCP to assign a fixed address to each machine and
then you have the advantages of both.

if you run dynamic DHCP and give out addresses to anyone you make it
really easy for a stray person to connect to your network and start really
useing it. if you use static addressing (either traditional static
addressing or DHCP MAC based assignments) then the person attempting to
access your network will have to take a few min to figure out what network
parameters to assign to their machine. this will stop the casual user, but
not anyone determined to get into your network (nothing will, but
configuring your ethernet switches to only allow certin MAC addresses on
each switch port would come close, and probably make the network unuseable
in most cases as a side effect)

with laptops proliferating and the need for people to use laptops at home
and in the office (and not wanting to give people admin rights on their
laptops) I am currently reccomending that people use DHCP, but do MAC
based IP addresses and not have any pool of addresses.

David Lang

On Mon, 20 Jan 2003, Eye Am wrote:

> Date: Mon, 20 Jan 2003 23:06:10 -0500
> From: Eye Am <eyeam () optonline net>
> To: firewall-wizards () honor icsalabs com
> Subject: [fw-wiz] DHCP in a corporate MS environment - Security Risk?
>
> I'm looking for opinions, experiences and references on the subject. Downed
> and searched the entire Firewall-Wizards list. Found little discussion
> either
> way. This may be a bit OT for the board except that some security may well
> be set at the public-facing firewall as well as risks may be apparent there.
>
> Our corporate network is reasonably well set up with private and public DNS,
> no wireless IP connections and blocking all RFC1918 traffic in or out of the
> public side. Some security consultants highly recommended static addressing
> across the board for security and control reasons - i.e.. access-list
> control and the potential for compromise of the DHCP database. I have
> searched google etc and found a few articles and whitepapers.
>
> We have historically configured static IPs on servers, routers, switches and
> all outside-facing devices. We do have several multi-homed devices with
> static, public IP and a second interface facing inside (these are being
> migrated to DMZ where multi-homing will no longer be necessary.) However
> this does get to be a pain when making across-the-board changes.
> Documentation is a bear as well since we are a small company with little
> resources available to keep detailed network drawings up-to-date.
>
> Lately we are leaning towards regular lease-based DHCP for workstations and
> reserved DHCP addresses on servers on the private side. This will, of
> course, make life much easier when making widespread changes or additions
> such as adding secondary DNS. I have been wavering back and forth.
>
> Is there any experience with compromised DHCP databases in MS environments?
> Any strong opinions or reasoning pro or con the use of DHCP? Any
> recommendations for shoring up the service and it's traffic?
>
> Much Appreciated In Advance
> Chuck
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards