Firewall Wizards mailing list archives
RE: DHCP in a corporate MS environment - Security Risk?
From: "Noonan, Wesley" <Wesley_Noonan () bmc com>
Date: Wed, 22 Jan 2003 16:47:31 -0600
I don't mind that (aside from the point that statically assigning via DHCP really isn't an accurate description), and in fact that is what I encourage (reservations). I am sure I am in the minority, but that is always how I have deployed my servers that I can get away with running as DHCP clients (basically, everything except the DHCP server). Assign a reservation and run with it. It makes it incredibly easy to know what server has what address without needing to pour through a ton of spreadsheets. The only caveat that I would throw out is I tend to extend my lease duration to something on the scale of 2-4 weeks so that I have that much time to fix any potential meltdown of the DHCP databases (As a note, never set them as "unlimited" as in MS speak this means don't ever pay attention to any other DHCP server, including the current one, ever again... might as well be static at that point). With proper backups (daily) and the nature of MS DHCP (hands out the same address to a client as much as possible) recovery has never taken me more than 10-15 minutes, and most of that is me copying the files in place to run the restore process. When I need to make network changes (i.e. new DNS servers, etc.) it simply becomes a matter of scripting a refresh/renew and poof, 99% of my hardware starts using the change. Network upgrades that previously (a) weren't feasible or (b) took a weekend become 5 minute processes. Auditing, to me at least, is a non-issue here. I can correlate the data between logs (it is, after all, what we get paid for) just as easily with DHCP everywhere as I can with statics or reservations in place. Thanks. Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+ Senior QA Rep. BMC Software, Inc. (713) 918-2412 wnoonan () bmc com http://www.bmc.com
-----Original Message----- From: David Lang [mailto:david.lang () digitalinsight com] Sent: Wednesday, January 22, 2003 15:56 To: Paul D. Robertson Cc: Noonan, Wesley; 'Eye Am'; firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] DHCP in a corporate MS environment - Security Risk? Paul (and others refering to the headachs of static addresses) if you staticly assign the addresses via DHCP does your opposition still stand? doing this gains you the central management advantages of DHCP since the leases are fixed you only have to backup the config, not the leases (hopefully something that changes less frequently) backup servers become trivial becouse the primary and backup will be issuing the same IP, no need for any complicated syncing between them since the address management is centralized it's much easier to avoid duplicates. it gives you the ability to do analysis over time of firewall/IDS logs without having to lookup each entry to see which machine had that IP at that time. no it's not foolproof (as per notes about manually setting IP addresses) but it seems like it provides advantages over dynamic addresses at the cost of additional work when a new machine is introduced on the network. David Lang On Wed, 22 Jan 2003, Paul D. Robertson wrote:Date: Wed, 22 Jan 2003 09:23:19 -0500 (EST) From: Paul D. Robertson <proberts () patriot net> To: "Noonan, Wesley" <Wesley_Noonan () bmc com> Cc: 'Eye Am' <eyeam () optonline net>, firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] DHCP in a corporate MS environment - SecurityRisk?On Tue, 21 Jan 2003, Noonan, Wesley wrote:Absolutely no doubt in my mind, I have and will continue to use DHCPas muchas I can, provided of course it is technically and logisticallyfeasible. AsI don't like static DHCP for servers because it creates an unnecessary dependency on a system that's easy to MITM. For clients, I don't mindatall. A lot of it has to do with how the network is structured though-ifit's a small, flat network, then that's not as much of an issue as ifthenetwork's routed and reliant on DHCP helpers to get an answer backbeforeany attacker might (DoS on a local DHCP server is a different issue.) I wouldn't manage client addresses manually any more though unless I was specifically trying to do a specific static addressing/routing/ARP table thing. Paul -----------------------------------------------------------------------------Paul D. Robertson "My statements in this message are personalopinionsproberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecureCorporation_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: DHCP in a corporate MS environment - Security Risk?, (continued)
- Re: DHCP in a corporate MS environment - Security Risk? Ben Nagy (Jan 29)
- Re: DHCP in a corporate MS environment - Security Risk? Luca Berra (Jan 22)
- RE: DHCP in a corporate MS environment - Security Risk? Noonan, Wesley (Jan 21)
- RE: DHCP in a corporate MS environment - Security Risk? Paul D. Robertson (Jan 22)
- RE: DHCP in a corporate MS environment - Security Risk? David Lang (Jan 22)
- RE: DHCP in a corporate MS environment - Security Risk? Paul Robertson (Jan 22)
- RE: DHCP in a corporate MS environment - Security Risk? Paul D. Robertson (Jan 22)
- RE: DHCP in a corporate MS environment - Security Risk? Darden, Patrick S. (Jan 22)
- Re: DHCP in a corporate MS environment - Security Risk? Ben Nagy (Jan 23)
- Re: DHCP in a corporate MS environment - Security Risk? Gary Flynn (Jan 24)
- Re: DHCP in a corporate MS environment - Security Risk? Ben Nagy (Jan 24)
- Re: DHCP in a corporate MS environment - Security Risk? Ben Nagy (Jan 23)
- RE: DHCP in a corporate MS environment - Security Risk? David Lang (Jan 22)