Security Basics mailing list archives
Re: Down with DHCP!!!!
From: tagrrr () gmail com
Date: 20 Feb 2006 18:49:35 -0000
Hey there, First of all, I applaud your effort and motivation to bring additional security to your networks. You are definitely taking a huge leap in the right direction as far as thinking outside the box for innovative ideas and not settling for status quo. However, with that said, I think that disabling DHCP will not be the best thing to do for a few reasons: 1. Managing static address pools is a nightmare, unless you have a full-time resource to do it. I remember the old days, and that is a fire that can easily out of control. It leads to people forgetting to tell you when they used one, etc, etc, and before you know it your inventory is useless. 2. You will become the enemy of your network team. If they have an extra step to take, and always have to come to you for an address (or have to tell you each time they use one,) that will get old quick and you dont want to loose your friends on the network side. 3. Even with your best efforts, assigning static addresses will not insure that someone who knows what they are doing cannot figure out your addressing scheme and assign themselves an open address. Yes, you can control this through strict ACLs that only allow the addresses that you assigned to help, but that is even more management on your part. 4. What about some of the benefits that you will be loosing from your DHCP services? What if you want to assign a new IP addresses for your DNS server for example, it may get as bad as you having to go manually change every entry. Additionally, you will loose some flexibility in the logging capabilities that can help in forensic cases. If you set up your environment right, you should be able to match a login name with an assigned IP, which helps a lot in environments where people roam around a lot. This also helps in tracking down systems with viruses, etc to poll your DHCP server to see exactly who has that IP address, whereas a static address list that is out of date may seriously hurt you. These are just a few of the random things to think about when looking at changing from a DHCP environment to a static one. I have been on both sides of the fence in my career, and hands-down prefer the DHCP method. Another thing to think about would be looking at securing your DHCP services more, have you looked at general best practices, or perhaps what companies like Metainfo are doing in the Secure DHCP market? For instance, I know that a lot of vendors are specifically harnessing DHCP to assist with NAC implementations, which will take care of those AV/Patch levels and those users who bring in their home PC to plug into the network. Anyways, I will stop rambling on, that is just my .02 though. The bottom line once again though is that you look to be on the right track of becoming an extremely valuable security professional. Dont ever stop thinking of new and innovative ways to increase security. --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Re: Down with DHCP!!!!, (continued)
- Re: Down with DHCP!!!! robjohn (Feb 21)
- Re: Down with DHCP!!!! Y0 (Feb 21)
- RE: Down with DHCP!!!! Michael J. Benedetto (Feb 21)
- Re: Down with DHCP!!!! Brian Loe (Feb 21)
- RE: Down with DHCP!!!! Mitch Pope (Feb 22)
- Re: Down with DHCP!!!! Brian Loe (Feb 22)
- Re: Down with DHCP!!!! carowe (Feb 21)
- Re: Down with DHCP!!!! securityfocus (Feb 21)
- Re: Down with DHCP!!!! danno (Feb 21)
- Re: Down with DHCP!!!! tagrrr (Feb 21)
- Re: Down with DHCP!!!! tagrrr (Feb 21)
- Re: Down with DHCP!!!! rob . lucchetti (Feb 21)
- Re: Down with DHCP!!!! someone (Feb 21)
- Re: Down with DHCP!!!! a_wirtz (Feb 21)
- RE: Down with DHCP!!!! Steven Johnston (Feb 21)
- Re: Down with DHCP!!!! jalvare7 (Feb 21)
- RE: Down with DHCP!!!! Jasun Tate (Feb 21)
- Re: Down with DHCP!!!! gigabit (Feb 22)
- Re: Down with DHCP!!!! tandernam (Feb 22)
- Re: Down with DHCP!!!! Brian Loe (Feb 22)
- RE: Down with DHCP!!!! Michael J. Benedetto (Feb 23)
(Thread continues...)