RE: DHCP in a corporate MS environment - Security Risk?

["Noonan, Wesley" <Wesley_Noonan () bmc com>]

I don't mind that (aside from the point that statically assigning via DHCP
really isn't an accurate description), and in fact that is what I encourage
(reservations). I am sure I am in the minority, but that is always how I
have deployed my servers that I can get away with running as DHCP clients
(basically, everything except the DHCP server). Assign a reservation and run
with it. It makes it incredibly easy to know what server has what address
without needing to pour through a ton of spreadsheets. 

The only caveat that I would throw out is I tend to extend my lease duration
to something on the scale of 2-4 weeks so that I have that much time to fix
any potential meltdown of the DHCP databases (As a note, never set them as
"unlimited" as in MS speak this means don't ever pay attention to any other
DHCP server, including the current one, ever again... might as well be
static at that point). With proper backups (daily) and the nature of MS DHCP
(hands out the same address to a client as much as possible) recovery has
never taken me more than 10-15 minutes, and most of that is me copying the
files in place to run the restore process.

When I need to make network changes (i.e. new DNS servers, etc.) it simply
becomes a matter of scripting a refresh/renew and poof, 99% of my hardware
starts using the change. Network upgrades that previously (a) weren't
feasible or (b) took a weekend become 5 minute processes.

Auditing, to me at least, is a non-issue here. I can correlate the data
between logs (it is, after all, what we get paid for) just as easily with
DHCP everywhere as I can with statics or reservations in place.

Thanks.

Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+
Senior QA Rep.
BMC Software, Inc.
(713) 918-2412
wnoonan () bmc com
http://www.bmc.com


> -----Original Message-----
> From: David Lang [mailto:david.lang () digitalinsight com]
> Sent: Wednesday, January 22, 2003 15:56
> To: Paul D. Robertson
> Cc: Noonan, Wesley; 'Eye Am'; firewall-wizards () honor icsalabs com
> Subject: RE: [fw-wiz] DHCP in a corporate MS environment - Security Risk?
>
> Paul (and others refering to the headachs of static addresses)
>
> if you staticly assign the addresses via DHCP does your opposition still
> stand?
>
> doing this gains you the central management advantages of DHCP
>
> since the leases are fixed you only have to backup the config, not the
> leases (hopefully something that changes less frequently)
>
> backup servers become trivial becouse the primary and backup will be
> issuing the same IP, no need for any complicated syncing between them
>
> since the address management is centralized it's much easier to avoid
> duplicates.
>
> it gives you the ability to do analysis over time of firewall/IDS logs
> without having to lookup each entry to see which machine had that IP at
> that time.
>
> no it's not foolproof (as per notes about manually setting IP addresses)
> but it seems like it provides advantages over dynamic addresses at the
> cost of additional work when a new machine is introduced on the network.
>
> David Lang
>
>
> On Wed, 22 Jan 2003, Paul D. Robertson wrote:
>
> > Date: Wed, 22 Jan 2003 09:23:19 -0500 (EST)
> > From: Paul D. Robertson <proberts () patriot net>
> > To: "Noonan, Wesley" <Wesley_Noonan () bmc com>
> > Cc: 'Eye Am' <eyeam () optonline net>, firewall-wizards () honor icsalabs com
> > Subject: RE: [fw-wiz] DHCP in a corporate MS environment - Security
> Risk?
> > On Tue, 21 Jan 2003, Noonan, Wesley wrote:
> >
> > > Absolutely no doubt in my mind, I have and will continue to use DHCP
> as much
> > > as I can, provided of course it is technically and logistically
> feasible. As
> > I don't like static DHCP for servers because it creates an unnecessary
> > dependency on a system that's easy to MITM.  For clients, I don't mind
> at
> > all.  A lot of it has to do with how the network is structured though-
> if
> > it's a small, flat network, then that's not as much of an issue as if
> the
> > network's routed and reliant on DHCP helpers to get an answer back
> before
> > any attacker might (DoS on a local DHCP server is a different issue.)
> >
> > I wouldn't manage client addresses manually any more though unless I was
> > specifically trying to do a specific static addressing/routing/ARP table
> > thing.
> >
> > Paul
> > ------------------------------------------------------------------------
> -----
> > Paul D. Robertson      "My statements in this message are personal
> opinions
> > proberts () patriot net      which may have no basis whatsoever in fact."
> > probertson () trusecure com Director of Risk Assessment TruSecure
> Corporation
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards () honor icsalabs com
> > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards