gigabit@satx.rr.com dijo [Fri, Feb 17, 2006 at 12:31:08PM -0600]:
ok, some background...
(...)
i would like to propose to management that dhcp should be disabled, so
as to force the building of a database that will hold all of the
information needed to begin a comprehensive security policy. the
security group would manage the database to ensure that we are
collecting information (such as O/S, IOS version, anti-virus
compliance...)
By adding a couple of details to your ideas, mi conclusion was exactly
the opposite: Mandate that _everybody_ gets his machine configured by
DHCP makes your network more secure - and, of course, easier to
manage. The key? Maintain a database of known equipment, and hand out
static DHCP addresses to them.
(...)
2. a more secure environment. no longer can users bring in non-
company owned devices and place them on our production network (which
is already a policy---that isn't policed).
I agree, if anybody can come in and get a working IP address,
something is seriously broken in your net setup. However, if
unregistered MACs are assigned an IP in a restricted range. If you
want, you could direct them to what has been branded as a "captive
portal" where the user can register who he is and why does he think
you should authorize him to use the network.
3. i can setup automated scripts that check MAC addresses to IP
addresses on the router ARP tables to check for spoofing.
(...)
Has anyone else dropped DHCP as a management/compliance decision?
If you are interested (or anybody else), I can send you the scripts I
made to handle this needs for my network. I am currently only
outputting the DHCP configuration, but I want to add normal and
reverse DNS mappings and firewall settings to prevent usage by
unauthorized MAC<=>IP pairs (adding this will be quite trivial).
I deployed this where I worked several years ago, at a faculty with
2,000 teachers and 12,000 students. The amount of network trouble we
had soon dropped to the ground. I am implementing it in the Institute
I work now, and success has been less spectacular, but because of
political reasons (I haven't been able to set up the firewall
restrictions because the users don't want to be bothered, and I have
to explain what this is to several layers of management).
Greetings,
--
Gunnar Wolf - gwolf@gwolf.org - (+52-55)5623-0154 / 1451-2244
PGP key 1024D/8BB527AF 2001-10-23
Fingerprint: 0C79 D2D1 2C4E 9CE4 5973 F800 D80E F35A 8BB5 27AF
---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
