Security Basics mailing list archives

RE: Firewalls and PCI

From: "Timmothy Lester" <Timmothy.Lester () primeadvisors com>
Date: Wed, 16 Jan 2008 11:20:10 -0800

This is short, but why not just use DHCP reservations?  It won't protect
against all MITM attacks, but at least you have associated the IP wit
that MAC address.  Sure a rogue DHCP server could start handing out IPs
like candy,  but if your company gets big enough, static entry is "gonna
be a bi+ch".  I would implement other security features to protect your
network. Being afraid of DHCP isn't going to help you in the long run.
Sorry if I'm wasting your time reading this.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Jon R. Kibler
Sent: Wednesday, January 16, 2008 1:31 PM
To: Brian Johnson
Cc: security-basics () securityfocus com
Subject: Re: Firewalls and PCI

Brian Johnson wrote:

How does a lack of DHCP let you KNOW who is on your network?  Absent
DHCP all an attacker with zero knowledge of the network configuration
needs to do is sniff the ARP and other broadcast traffic to determine
the addressing of the network and find themselves an open address or
takeover a used address.  Now if you have 802.1x or use IPSEC to limit
communications that is another story entirely and can still function
with DHCP.

A number of clients I visit say that lack of DHCP is a security
measure.  If they push back on my claim it would only slow an attacker
down I demonstrate just how easy it is to find an open address, I end
up able to talk to their network inside of 5 minutes.


I agree completely that a lack of DHCP does not mean security. However,
anything DHCP I automatically presume is untrustworthy. With static IPs,
I lock down switches, associating a MAC with a port or use 802.1x.

Since you mentioned it, a comment about IPSec: You not believe the
number
of sites that think they have IPSec enabled, but don't really. They take
the average windows defaults in IPSec setup (no AH, no ESP) and think
they now have IPSec security. Like everything else, unless configured
correctly, and TESTED, IPSec is not going to provide any additional
security. When a site enables IPSec, you would think they would at least
sniff the network to see if the traffic is REALLY encrypted, but I have
yet to see any site have actually tested their IPSec configuration.

Jon
-- 
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
(843) 849-8214





==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

Current thread:

Firewalls and PCI Josh Haft (Jan 15)
- Re: Firewalls and PCI Jon R. Kibler (Jan 15)
  - Re: Firewalls and PCI Brian Johnson (Jan 16)
    - Re: Firewalls and PCI Jon R. Kibler (Jan 16)
    - RE: Firewalls and PCI Craig Wright (Jan 16)
    - RE: Firewalls and PCI Timmothy Lester (Jan 16)
- Re: Firewalls and PCI David Glosser (Jan 16)
  - RE: Firewalls and PCI Jason Alexander (Jan 16)
- <Possible follow-ups>
- Re: Re: Firewalls and PCI evilwon12 (Jan 16)
  - Re: Re: Firewalls and PCI Josh Haft (Jan 16)
    - Message not available
    - Re: Firewalls and PCI Lyle Worthington (Jan 17)
    - RE: Re: Firewalls and PCI Honer, Lance (Jan 18)
    - Re: Re: Firewalls and PCI Josh Haft (Jan 18)
    - RE: Re: Firewalls and PCI Scott Williamson (Jan 18)
    - RE: Re: Firewalls and PCI Honer, Lance (Jan 18)
    - Re: Re: Firewalls and PCI Josh Haft (Jan 18)

(Thread continues...)