Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Down with DHCP!!!!

from [Steve Fletcher] Network Security [Permanent Link]
Subject: RE: Down with DHCP!!!!
Date: Fri, 17 Feb 2006 23:01:40 -0600 
While I fully understand why you would consider disabling DHCP, I see one
major problem with number 2 below.  Just using static addresses will not
keep users from bringing in their own equipment.  If a user knows much, they
can determine the proper IP addresses for the network and assign a static
address.  So, you in the end, you have added more of a workload on the
network staff, but you really have not done much for security.

I agree with the idea of inventorying, equipment, but trying to manually
inventory each machine is going to be a nightmare for a network of that
size.  I would recommend something to automatically inventory all of the
equipment.  Other automated tools could be used to ensure all machines are
fully patched and secured.

The idea of working smarter, not harder, definitely applies in a situation
like this.

Hope this helps.

Steve Fletcher
MCSE (NT4/Win2k), MCSE: Security (Win2k), HP Master ASE, CCNA, Security+
Email:  safletcher@insightbb.com
Web:  http://safletcher.home.insightbb.com

 
-----Original Message-----
From: gigabit@satx.rr.com [mailto:gigabit@satx.rr.com] 
Sent: Friday, February 17, 2006 12:31 PM
To: security-basics@securityfocus.com
Subject: Down with DHCP!!!!

i would like to propose to management that dhcp should be disabled, so 
as to force the building of a database that will hold all of the 
information needed to begin a comprehensive security policy.  the 
security group would manage the database to ensure that we are 
collecting information (such as O/S, IOS version, anti-virus 
compliance...)

i realize this will incur more work for those poor souls that have to 
deploy hardware, but i believe the benefits out-weigh the costs.  the 
benefits i see:

1.  once a branch location is staticly addressed, we have a working 
inventory of what is out there.

2.  a more secure environment.  no longer can users bring in non-
company owned devices and place them on our production network (which 
is already a policy---that isn't policed).

3.  i can setup automated scripts that check MAC addresses to IP 
addresses on the router ARP tables to check for spoofing.

our branch locations don't change very often.....some are still on 
token ring for god's sake, so i don't really see that much more 
workload.

Has anyone else dropped DHCP as a management/compliance decision?



---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Exiting of CSO type employees, Mark Teicher
Next by Date:  RE: Security / forensics conference, dave kleiman
Previous by Thread:  Re: Down with DHCP!!!!, Kenton Smith
Next by Thread:  Re: Down with DHCP!!!!, Bryan S. Sampsel
Indexes:  [Date] [Thread] [Top] [All Lists]