Re: Down with DHCP!!!!

[securityfocus () wormtail co uk]

If you have to go down that route, couldn't you achieve the same with DHCP reservations (and  by not giving out 
addresses to any MACs that aren't in the reservation table)? That would probably go down better with the desktop 
support engineers, because they wouldn't have to do any extra configuration on machines that have been re-imaged. It 
also would also keep the control more central.

Personally, I don't think removing DHCP will improve security much. There are much better ways to do it, for example 
ensuring that there is only 1 data connection for each legitimate PC, and if the access switches have the 
functionality, restricting the number of MACs permitted on a "user" port to one (to prevent people daisy-chaining 
hubs). I did a similar thing in my last job, and it proved very effective, not least because violations showed in the 
logs, offending ports were automatically disabled, and the user had to sheepishly log a helpdesk call to get their port 
re-enabled by networks support.

I wouldn't be happy implementing a DHCP-free solution on the grounds of improved security, because I think it would be 
a lot of work (initially and ongoing) and not effective enough to justify the effort.

Foeh

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------