Firewall Wizards mailing list archives

RE: DHCP in a corporate MS environment - Security Risk?

From: "Noonan, Wesley" <Wesley_Noonan () bmc com>
Date: Wed, 22 Jan 2003 18:23:30 -0600

Couple of things.

1) IP addresses don't change in DHCP that often. By design most (and all
DHCP servers I have seen) attempt to hand the same client the same address
all the time. Even if the address becomes available, the DHCP server will
hand out a never used address first.
2) Backup and logs. I don't manage servers anymore but I checked logs daily
so that I could notice trends. Logging is your friend... if you read them
more often than when you have to.
3) There are numerous tools that will parse logs and correlate them. We used
them quite regularly. Some were homegrown and some came from vendors. Also,
centralized logging is your friend. 

To be fair, I never had to go back 6 months to track something down for
legal, or other reasons, however at the same time I tended to be able to
spot trends on a daily and weekly basis and act accordingly. 

HTH

Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+
Senior QA Rep.
BMC Software, Inc.
(713) 918-2412
wnoonan () bmc com
http://www.bmc.com

-----Original Message-----
From: David Lang [mailto:david.lang () digitalinsight com]
Sent: Wednesday, January 22, 2003 18:02
To: Noonan, Wesley
Cc: Paul D. Robertson; 'Eye Am'; firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] DHCP in a corporate MS environment - Security Risk?

On Wed, 22 Jan 2003, Noonan, Wesley wrote:

Auditing, to me at least, is a non-issue here. I can correlate the data
between logs (it is, after all, what we get paid for) just as easily

with

DHCP everywhere as I can with statics or reservations in place.


Wes, how do you track things over time as IP addresses change? The only
way I can think of is to run all your logs through a post-processor to
cross referance with your DHCP logs to find what machine was at a given IP
address at the time of the log entry.

if all you are doing is comparing different logs at time X it's not a
problem, but if you want to be able to notice that a given machine is
doing the same thing every monday morning then you need to know that IP
1.2.3.4 on Jan 1 is the same machine as 1.2.3.5 on Feb 1.

David Lang

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: DHCP in a corporate MS environment - Security Risk?, (continued)
- RE: DHCP in a corporate MS environment - Security Risk? Noonan, Wesley (Jan 21)
  - RE: DHCP in a corporate MS environment - Security Risk? Paul D. Robertson (Jan 22)
    - RE: DHCP in a corporate MS environment - Security Risk? David Lang (Jan 22)
    - RE: DHCP in a corporate MS environment - Security Risk? Paul Robertson (Jan 22)
- RE: DHCP in a corporate MS environment - Security Risk? Darden, Patrick S. (Jan 22)
  - Re: DHCP in a corporate MS environment - Security Risk? Ben Nagy (Jan 23)
    - Re: DHCP in a corporate MS environment - Security Risk? Gary Flynn (Jan 24)
    - Re: DHCP in a corporate MS environment - Security Risk? Ben Nagy (Jan 24)
- RE: DHCP in a corporate MS environment - Security Risk? Noonan, Wesley (Jan 22)
  - RE: DHCP in a corporate MS environment - Security Risk? David Lang (Jan 22)
- RE: DHCP in a corporate MS environment - Security Risk? Noonan, Wesley (Jan 22)
- RE: DHCP in a corporate MS environment - Security Risk? Noonan, Wesley (Jan 24)
- RE: DHCP in a corporate MS environment - Security Risk? Frank Darden (Jan 24)