Firewall Wizards mailing list archives
RE: DHCP in a corporate MS environment - Security Risk?
From: "Noonan, Wesley" <Wesley_Noonan () bmc com>
Date: Wed, 22 Jan 2003 18:23:30 -0600
Couple of things. 1) IP addresses don't change in DHCP that often. By design most (and all DHCP servers I have seen) attempt to hand the same client the same address all the time. Even if the address becomes available, the DHCP server will hand out a never used address first. 2) Backup and logs. I don't manage servers anymore but I checked logs daily so that I could notice trends. Logging is your friend... if you read them more often than when you have to. 3) There are numerous tools that will parse logs and correlate them. We used them quite regularly. Some were homegrown and some came from vendors. Also, centralized logging is your friend. To be fair, I never had to go back 6 months to track something down for legal, or other reasons, however at the same time I tended to be able to spot trends on a daily and weekly basis and act accordingly. HTH Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+ Senior QA Rep. BMC Software, Inc. (713) 918-2412 wnoonan () bmc com http://www.bmc.com
-----Original Message----- From: David Lang [mailto:david.lang () digitalinsight com] Sent: Wednesday, January 22, 2003 18:02 To: Noonan, Wesley Cc: Paul D. Robertson; 'Eye Am'; firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] DHCP in a corporate MS environment - Security Risk? On Wed, 22 Jan 2003, Noonan, Wesley wrote:Auditing, to me at least, is a non-issue here. I can correlate the data between logs (it is, after all, what we get paid for) just as easilywithDHCP everywhere as I can with statics or reservations in place.Wes, how do you track things over time as IP addresses change? The only way I can think of is to run all your logs through a post-processor to cross referance with your DHCP logs to find what machine was at a given IP address at the time of the log entry. if all you are doing is comparing different logs at time X it's not a problem, but if you want to be able to notice that a given machine is doing the same thing every monday morning then you need to know that IP 1.2.3.4 on Jan 1 is the same machine as 1.2.3.5 on Feb 1. David Lang
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: DHCP in a corporate MS environment - Security Risk?, (continued)
- RE: DHCP in a corporate MS environment - Security Risk? Noonan, Wesley (Jan 21)
- RE: DHCP in a corporate MS environment - Security Risk? Paul D. Robertson (Jan 22)
- RE: DHCP in a corporate MS environment - Security Risk? David Lang (Jan 22)
- RE: DHCP in a corporate MS environment - Security Risk? Paul Robertson (Jan 22)
- RE: DHCP in a corporate MS environment - Security Risk? Paul D. Robertson (Jan 22)
- RE: DHCP in a corporate MS environment - Security Risk? Noonan, Wesley (Jan 21)
- RE: DHCP in a corporate MS environment - Security Risk? Darden, Patrick S. (Jan 22)
- Re: DHCP in a corporate MS environment - Security Risk? Ben Nagy (Jan 23)
- Re: DHCP in a corporate MS environment - Security Risk? Gary Flynn (Jan 24)
- Re: DHCP in a corporate MS environment - Security Risk? Ben Nagy (Jan 24)
- Re: DHCP in a corporate MS environment - Security Risk? Ben Nagy (Jan 23)
- RE: DHCP in a corporate MS environment - Security Risk? David Lang (Jan 22)