Firewall Wizards mailing list archives
Re: DHCP in a corporate MS environment - Security Risk?
From: "yossarian" <yossarian () planet nl>
Date: Wed, 22 Jan 2003 02:48:23 +0100
Some security consultants highly recommended static addressing across the board for security and control reasons - i.e.. access-list control and the potential for compromise of the DHCP database. I have searched google etc and found a few articles and whitepapers.
IMHO, using static adressing for security reasons is ineffective against real hackers, since IP spoofing is standard. If you log the adresses used, DHCP will not make forensics impossible. Compromising the DHCP is feasible, the result will be a denial of service, since there will be double adresses. Users reboot, get a new address, and get on with their work. Or if you compromise the DHCP database, so it will give out other ranges of IP adresses. So? If people take down the DHCP, well, use a distribited system so another server will take over, and client systems will probably use the cached IP adress, anyway. The only risk to DHCP is people attaching rogue computers to your network. But the risk is marginal, since all you need to do is find out which ranges are used, and pick an address use by someone else. Any sniffer will do this. And using ACL's to ensure that just known PC's attach is not really feasible in an MS shop - since connections to MS servers is done on computer names, not IP adresses.
We have historically configured static IPs on servers, routers, switches
and
all outside-facing devices. We do have several multi-homed devices with static, public IP and a second interface facing inside (these are being migrated to DMZ where multi-homing will no longer be necessary.) However this does get to be a pain when making across-the-board changes. Documentation is a bear as well since we are a small company with little resources available to keep detailed network drawings up-to-date.
I think using static adressing with more than a handfull of systems will result in more downtime because of human error than security incidents generally do. Using the time freed by less documentation for patching and st udy is much more effective.
Is there any experience with compromised DHCP databases in MS
environments?
Any strong opinions or reasoning pro or con the use of DHCP? Any recommendations for shoring up the service and it's traffic?
I encountered a DHCP server with a trojan on it once, but the incident was really minor - the server was used to cover tracks to other systems. What is the use of attacking DHCP if there are easier ways of attacking, like ARP cache poisoning. Patch the servers, monitor them, do the general rigmarole, and use DHCP, like most companies do. Yossarian _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- DHCP in a corporate MS environment - Security Risk? Eye Am (Jan 21)
- Re: DHCP in a corporate MS environment - Security Risk? David Lang (Jan 21)
- Re: DHCP in a corporate MS environment - Security Risk? yossarian (Jan 22)
- Re: DHCP in a corporate MS environment - Security Risk? Bill Royds (Jan 22)
- Re: DHCP in a corporate MS environment - Security Risk? Ben Nagy (Jan 22)
- Re: DHCP in a corporate MS environment - Security Risk? Luca Berra (Jan 24)
- Re: DHCP in a corporate MS environment - Security Risk? Luca Berra (Jan 28)
- Re: DHCP in a corporate MS environment - Security Risk? Ben Nagy (Jan 29)
- Re: DHCP in a corporate MS environment - Security Risk? Luca Berra (Jan 24)
- Re: DHCP in a corporate MS environment - Security Risk? Luca Berra (Jan 22)
- <Possible follow-ups>
- RE: DHCP in a corporate MS environment - Security Risk? Noonan, Wesley (Jan 21)
- RE: DHCP in a corporate MS environment - Security Risk? Paul D. Robertson (Jan 22)
- RE: DHCP in a corporate MS environment - Security Risk? David Lang (Jan 22)
- RE: DHCP in a corporate MS environment - Security Risk? Paul Robertson (Jan 22)
- RE: DHCP in a corporate MS environment - Security Risk? Paul D. Robertson (Jan 22)