Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: DHCP in a corporate MS environment - Security Risk?

From: David Lang <david.lang () digitalinsight com>
Date: Wed, 22 Jan 2003 13:56:16 -0800 (PST)
Paul (and others refering to the headachs of static addresses)

if you staticly assign the addresses via DHCP does your opposition still
stand?

doing this gains you the central management advantages of DHCP

since the leases are fixed you only have to backup the config, not the
leases (hopefully something that changes less frequently)

backup servers become trivial becouse the primary and backup will be
issuing the same IP, no need for any complicated syncing between them

since the address management is centralized it's much easier to avoid
duplicates.

it gives you the ability to do analysis over time of firewall/IDS logs
without having to lookup each entry to see which machine had that IP at
that time.

no it's not foolproof (as per notes about manually setting IP addresses)
but it seems like it provides advantages over dynamic addresses at the
cost of additional work when a new machine is introduced on the network.

David Lang


On Wed, 22 Jan 2003, Paul D. Robertson wrote:


Date: Wed, 22 Jan 2003 09:23:19 -0500 (EST)
From: Paul D. Robertson <proberts () patriot net>
To: "Noonan, Wesley" <Wesley_Noonan () bmc com>
Cc: 'Eye Am' <eyeam () optonline net>, firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] DHCP in a corporate MS environment - Security Risk?

On Tue, 21 Jan 2003, Noonan, Wesley wrote:


Absolutely no doubt in my mind, I have and will continue to use DHCP as much
as I can, provided of course it is technically and logistically feasible. As


I don't like static DHCP for servers because it creates an unnecessary
dependency on a system that's easy to MITM.  For clients, I don't mind at
all.  A lot of it has to do with how the network is structured though- if
it's a small, flat network, then that's not as much of an issue as if the
network's routed and reliant on DHCP helpers to get an answer back before
any attacker might (DoS on a local DHCP server is a different issue.)

I wouldn't manage client addresses manually any more though unless I was
specifically trying to do a specific static addressing/routing/ARP table
thing.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: