Firewall Wizards mailing list archives
RE: DHCP in a corporate MS environment - Security Risk?
From: "Darden, Patrick S." <darden () armc org>
Date: Wed, 22 Jan 2003 12:13:06 -0500
Another possibility would be a more secure alternative to DHCP. With Radius (just one example) you can require that people authenticate off of user database (Unix passwd/shadow file, LDAP, NT Domain, ADS....) Of course, a sniffer on your network, arp poisoning, etc. would obviate a lot of the security gains.... --Patrick Darden -----Original Message----- From: Ben Nagy [mailto:ben () iagu net] Sent: Wednesday, January 22, 2003 3:21 AM To: Eye Am; firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] DHCP in a corporate MS environment - Security Risk? Put me down as a "me too" for Wes's post. Static IP assignment for individual clients is insane. If you want strong(ish) machine-based security then look at switch port MAC filters; they're also insane from a management point of view but at least they actually offer a positive security delta. If you desperately want to write ACLs based on groups of machines then you may as well use DHCP reservations and start buying antacid in bulk for your sysadmin. Better, if you're in an MS environment, is to look at something like a proxy server or an IAS server to do real user-based authentication (if there's a working non-MS way to do it, someone let me know) based on the domain or AD. Be sure not to confuse this with a real network-level firewall, though, it's just a way to do some user restriction that's not SOCKS. I would expect to see a "proper" firewall as well. Please ask your security consultant to send us a short note explaining the risks of "DHCP database compromise". I shall pin it on my wall. For finer points, I usually do static config on servers (old fashioned), and I agree that you should get rid of your multihomed in/out devices as soon as you can. Cheers, ben ----- Original Message ----- From: "Eye Am" <eyeam () optonline net> To: <firewall-wizards () honor icsalabs com> Sent: Tuesday, January 21, 2003 5:06 AM Subject: [fw-wiz] DHCP in a corporate MS environment - Security Risk?
I'm looking for opinions, experiences and references on the subject.
Downed
and searched the entire Firewall-Wizards list. Found little discussion either way. This may be a bit OT for the board except that some security may well be set at the public-facing firewall as well as risks may be apparent
there.
Our corporate network is reasonably well set up with private and public
DNS,
no wireless IP connections and blocking all RFC1918 traffic in or out of
the
public side. Some security consultants highly recommended static
addressing
across the board for security and control reasons - i.e.. access-list control and the potential for compromise of the DHCP database. I have searched google etc and found a few articles and whitepapers. We have historically configured static IPs on servers, routers, switches
and
all outside-facing devices. We do have several multi-homed devices with static, public IP and a second interface facing inside (these are being migrated to DMZ where multi-homing will no longer be necessary.) However this does get to be a pain when making across-the-board changes. Documentation is a bear as well since we are a small company with little resources available to keep detailed network drawings up-to-date. Lately we are leaning towards regular lease-based DHCP for workstations
and
reserved DHCP addresses on servers on the private side. This will, of course, make life much easier when making widespread changes or additions such as adding secondary DNS. I have been wavering back and forth. Is there any experience with compromised DHCP databases in MS
environments?
Any strong opinions or reasoning pro or con the use of DHCP? Any recommendations for shoring up the service and it's traffic? Much Appreciated In Advance Chuck _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: DHCP in a corporate MS environment - Security Risk?, (continued)
- Re: DHCP in a corporate MS environment - Security Risk? Bill Royds (Jan 22)
- Re: DHCP in a corporate MS environment - Security Risk? Ben Nagy (Jan 22)
- Re: DHCP in a corporate MS environment - Security Risk? Luca Berra (Jan 24)
- Re: DHCP in a corporate MS environment - Security Risk? Luca Berra (Jan 28)
- Re: DHCP in a corporate MS environment - Security Risk? Ben Nagy (Jan 29)
- Re: DHCP in a corporate MS environment - Security Risk? Luca Berra (Jan 24)
- Re: DHCP in a corporate MS environment - Security Risk? Luca Berra (Jan 22)
- RE: DHCP in a corporate MS environment - Security Risk? Noonan, Wesley (Jan 21)
- RE: DHCP in a corporate MS environment - Security Risk? Paul D. Robertson (Jan 22)
- RE: DHCP in a corporate MS environment - Security Risk? David Lang (Jan 22)
- RE: DHCP in a corporate MS environment - Security Risk? Paul Robertson (Jan 22)
- RE: DHCP in a corporate MS environment - Security Risk? Paul D. Robertson (Jan 22)
- Re: DHCP in a corporate MS environment - Security Risk? Ben Nagy (Jan 23)
- Re: DHCP in a corporate MS environment - Security Risk? Gary Flynn (Jan 24)
- Re: DHCP in a corporate MS environment - Security Risk? Ben Nagy (Jan 24)
- RE: DHCP in a corporate MS environment - Security Risk? David Lang (Jan 22)