Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Down with DHCP!!!!

from [Douglas Dever] Network Security [Permanent Link]
Subject: Re: Down with DHCP!!!!
Date: Fri, 17 Feb 2006 19:45:59 -0500 
Frankly, I think you have an axe to grind against your former
co-workers in network engineering, don't know very much about network
engineering, or are simply on crack...   comments inline...

On 2/17/06, gigabit@satx.rr.com <gigabit@satx.rr.com> wrote:

ok, some background...

i have transfered from network engineering to the information security
group for my company, which is mid-sized with about 2000 employees
across 90 locations (financial).

the lessons learned from being in network engineering is that they are
first and foremost concerned with maintaining the production
environment.  the management processes/procedures are completely
disregarded if it is deemed necessary to "get something done".


This is a management and process issue best handled by putting
together a comprehensive security policy and having your management
chain force the network engineering folks to follow it.  Telling
NetEng how to do their job won't get you a lot of traction in the real
world.

Look, if there's an outage and a few rules need to be bent to maintain
the production environment, that isn't a bad thing(tm).  But if it
happens everytime someone doesn't want to follow the appropriate
change management procedure, that's a different story.


as i try to build out a security plan for how to deal with
servers/routers/end users, i keep coming to the conclusion that it will
be meaningless unless control can be taken over what the other
department is doing (network engineering).  the one commonality for all
devices on the network is that they have an IP address.

i would like to propose to management that dhcp should be disabled, so
as to force the building of a database that will hold all of the
information needed to begin a comprehensive security policy.  the
security group would manage the database to ensure that we are
collecting information (such as O/S, IOS version, anti-virus
compliance...)


Why re-invent the wheel?  If you're really serious about this,
wouldn't it make more sense to transfer control of the DHCP servers to
the security team and then configure it how you wish?  You could still
statically assign specific IP addresses to specific MAC addresses if
you wished.  (e.g. Doing an audit on a portion of the network that
you're cutting over to your DHCP, gather the information you
need/want, and then once you have said info, making the appropriate
DHCP assignments.)  Then, if you have any changes to make you've got
one place to make them - as opposed to having someone run from PC to
PC.

Would it be easier to make the NE's or desktop support staff run
around and do this?  Probably - but then you're the one who's decided
you need to maintain this information yourself, suck it up and do the
work.


i realize this will incur more work for those poor souls that have to
deploy hardware, but i believe the benefits out-weigh the costs.  the
benefits i see:


Sure, because you're not the one who is going to have to implement your idea.



1.  once a branch location is staticly addressed, we have a working
inventory of what is out there.

2.  a more secure environment.  no longer can users bring in non-
company owned devices and place them on our production network (which
is already a policy---that isn't policed).

3.  i can setup automated scripts that check MAC addresses to IP
addresses on the router ARP tables to check for spoofing.


Two thoughts:
Port Security.

Cisco NAC


our branch locations don't change very often.....some are still on
token ring for god's sake, so i don't really see that much more
workload.


What are you planning to do for users, management, whatever who have
to move between locations and plan to use the network at all of them? 
Reconfigure their TCP/IP stack each time?


Has anyone else dropped DHCP as a management/compliance decision?


Why not just use a wire-cutter for your IPS solution while you're at it?

-doug

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Down with DHCP!!!!, Makousky, Steve C
Next by Date:  Re: Down with DHCP!!!!, Kenton Smith
Previous by Thread:  Down with DHCP!!!!, gigabit
Next by Thread:  Re: Down with DHCP!!!!, Kenton Smith
Indexes:  [Date] [Thread] [Top] [All Lists]