Firewall Wizards mailing list archives
RE: DHCP in a corporate MS environment - Security Risk?
From: "Noonan, Wesley" <Wesley_Noonan () bmc com>
Date: Tue, 21 Jan 2003 18:50:44 -0600
In my experience, whatever security might have been gained by going with 100% static addresses (and I think this is a very debatable point) was NEVER worth the hassle and management headache that it created. Absolutely no doubt in my mind, I have and will continue to use DHCP as much as I can, provided of course it is technically and logistically feasible. As for the security and control reasons that you list, DHCP works great for ACLs when properly implemented with reservations, and as for the database, the only thing I can think of that one could get is a listing of all the macs and IP address mappings... but then any time with a sniffer will get you that anyway. As for shoring up the service? Back it up regularly. As for the traffic, again it is negligible. You have bigger fish to fry in this arena than optimizing DHCP traffic. HTH Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+ Senior QA Rep. BMC Software, Inc. (713) 918-2412 wnoonan () bmc com http://www.bmc.com
-----Original Message----- From: Eye Am [mailto:eyeam () optonline net] Sent: Monday, January 20, 2003 22:06 To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] DHCP in a corporate MS environment - Security Risk? I'm looking for opinions, experiences and references on the subject. Downed and searched the entire Firewall-Wizards list. Found little discussion either way. This may be a bit OT for the board except that some security may well be set at the public-facing firewall as well as risks may be apparent there. Our corporate network is reasonably well set up with private and public DNS, no wireless IP connections and blocking all RFC1918 traffic in or out of the public side. Some security consultants highly recommended static addressing across the board for security and control reasons - i.e.. access-list control and the potential for compromise of the DHCP database. I have searched google etc and found a few articles and whitepapers. We have historically configured static IPs on servers, routers, switches and all outside-facing devices. We do have several multi-homed devices with static, public IP and a second interface facing inside (these are being migrated to DMZ where multi-homing will no longer be necessary.) However this does get to be a pain when making across-the-board changes. Documentation is a bear as well since we are a small company with little resources available to keep detailed network drawings up-to-date. Lately we are leaning towards regular lease-based DHCP for workstations and reserved DHCP addresses on servers on the private side. This will, of course, make life much easier when making widespread changes or additions such as adding secondary DNS. I have been wavering back and forth. Is there any experience with compromised DHCP databases in MS environments? Any strong opinions or reasoning pro or con the use of DHCP? Any recommendations for shoring up the service and it's traffic? Much Appreciated In Advance Chuck _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- DHCP in a corporate MS environment - Security Risk? Eye Am (Jan 21)
- Re: DHCP in a corporate MS environment - Security Risk? David Lang (Jan 21)
- Re: DHCP in a corporate MS environment - Security Risk? yossarian (Jan 22)
- Re: DHCP in a corporate MS environment - Security Risk? Bill Royds (Jan 22)
- Re: DHCP in a corporate MS environment - Security Risk? Ben Nagy (Jan 22)
- Re: DHCP in a corporate MS environment - Security Risk? Luca Berra (Jan 24)
- Re: DHCP in a corporate MS environment - Security Risk? Luca Berra (Jan 28)
- Re: DHCP in a corporate MS environment - Security Risk? Ben Nagy (Jan 29)
- Re: DHCP in a corporate MS environment - Security Risk? Luca Berra (Jan 24)
- Re: DHCP in a corporate MS environment - Security Risk? Luca Berra (Jan 22)
- <Possible follow-ups>
- RE: DHCP in a corporate MS environment - Security Risk? Noonan, Wesley (Jan 21)
- RE: DHCP in a corporate MS environment - Security Risk? Paul D. Robertson (Jan 22)
- RE: DHCP in a corporate MS environment - Security Risk? David Lang (Jan 22)
- RE: DHCP in a corporate MS environment - Security Risk? Paul Robertson (Jan 22)
- RE: DHCP in a corporate MS environment - Security Risk? Paul D. Robertson (Jan 22)
- Re: DHCP in a corporate MS environment - Security Risk? Ben Nagy (Jan 23)
- Re: DHCP in a corporate MS environment - Security Risk? Gary Flynn (Jan 24)
- Re: DHCP in a corporate MS environment - Security Risk? Ben Nagy (Jan 24)
- RE: DHCP in a corporate MS environment - Security Risk? David Lang (Jan 22)