Re: DHCP in a corporate MS environment - Security Risk?

[Luca Berra <bluca () comedia it>]

On Mon, Jan 20, 2003 at 11:06:10PM -0500, Eye Am wrote:
> Our corporate network is reasonably well set up with private and public DNS,
> no wireless IP connections and blocking all RFC1918 traffic in or out of the
> public side. Some security consultants highly recommended static addressing
> across the board for security and control reasons - i.e.. access-list
> control and the potential for compromise of the DHCP database. I have
> searched google etc and found a few articles and whitepapers.

well really dhcp is a double edged sword, it does have it's advantages
basically you don't need to configure or reconfigure each workstation,
and you can pass parameters to workstations (try changing dns server in
a completely static network)

but is also a very weak system
- i have seen a big corporate network stranded for many hours when an
 idiot forgot to switch off the dhcp server on its test machine before
 connecting it on the corporate network.
- dhcp failover protocol is still young
- configuring reservations with a well known point-and-click interface
 is a pita.
- database can get corrupted which is bad if you have to recreate
 complex configurations (i.e. tons of reservations) so backup often.
 luckyly modern dhcp servers try to ping an ip address before assigning
 it to a client, thus lowering the chance for duplicate addresses,
 unluckyly for you there are broken clients out there (win 9x) that
 don't send DHCPREQUEST packets to confirm their lease is still valid,
 and just use the previously assigned values thus higering those chances.

Anyway i believe that with growing networks the ease of configuration
and reduced workload for the support division pays back for the
weakness.

I would not anyway use dhcp reservation for server machines, i really
prefer those (which should be a small number compared to workstations)
to be immune from the above mentioned dhcp weakness.

I also don't like (from a security standpoint) the use of ip-based
authentication, let alone the use of dhcp reservation for the
aforementioned purpose. password/certificate based authentication
including lock-and-key system to support non proxy-aware apps have
existed for a long time.
And the insecurity of ip address for authentication has been proved eons
ago.

Regards,
L.


--
Luca Berra -- bluca () comedia it
       Communication Media & Services S.r.l.
/"\
\ /     ASCII RIBBON CAMPAIGN
 X        AGAINST HTML MAIL
/ \
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards