RE: firewall-wizards digest, Vol 1 #884 - 1 msg

[Julian HO Thean Swee <jho () starhub com>]

> > public side. Some security consultants highly recommended static
> addressing
> > across the board for security and control reasons - i.e.. access-list
> > control and the potential for compromise of the DHCP database. I have
> > searched google etc and found a few articles and whitepapers.
> >
> > We have historically configured static IPs on servers, routers, switches
> and
> > all outside-facing devices. We do have several multi-homed devices with
> > static, public IP and a second interface facing inside (these are being
> > migrated to DMZ where multi-homing will no longer be necessary.) However
> > this does get to be a pain when making across-the-board changes.
> > Documentation is a bear as well since we are a small company with little
> > resources available to keep detailed network drawings up-to-date.
> >
> > Lately we are leaning towards regular lease-based DHCP for workstations
> and
> > reserved DHCP addresses on servers on the private side. This will, of
> > course, make life much easier when making widespread changes or
> additions
> > such as adding secondary DNS. I have been wavering back and forth.
> >
> > Is there any experience with compromised DHCP databases in MS
> environments?
> > Any strong opinions or reasoning pro or con the use of DHCP? Any
> > recommendations for shoring up the service and it's traffic?
> >
> > Much Appreciated In Advance
> > Chuck
You have to balance convenience with the probability of compromise.  This
has always been the trick in security, irrespective of which facet
(firewalls, IDS, VPNs, policies, etc etc).
Basically, assuming you do not deploy WLANs which are hooked up to your
wired network, how easy is it for someone to obtain access to your premises
and physically jack-in to a port?  If you have a fair bit of physical
security, DHCP should not be a major issue.  I presume you have some kind of
authentication (logon) process being handled by a PDC on the backend for
your user accounts...?

Even if you put static IPs, all an intruder had to do would be to jack-in in
some secluded corner, place his laptops NIC in promiscuous mode, start
capturing traffic with ethereal or some equivalent packet sniffer and see
what your addressing scheme was.  Even if you had limited the range of IPs
accessing to your network, the intruder could even assume the identity of a
valid user by doing an arp poison against the desired IP, forcing the host
to reboot, then while the host was rebooting, setting their IP to the hosts'
IP and presto, he's inside.

Saying "is DHCP a security risk?" by itself is not enough - you have to look
at it, as with all other security questions, in light of the big
picture.....

Hope this helps,

j.

> From 27 November 2002, all StarHub corporate email addresses have been
changed to xxx () starhub com

This email is confidential and privileged.  If you are not the intended
recipient, you must not view, disseminate, use or copy this email. Kindly
notify the sender immediately, and delete this email from your system. Thank
you.

Please visit our website at www.starhub.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards