On Feb 17, 2006, at 1:31 PM, gigabit@satx.rr.com wrote:
i would like to propose to management that dhcp should be disabled, so
as to force the building of a database that will hold all of the
information needed to begin a comprehensive security policy.
You're describing features that are good to have on a network, but
they don't really have anything to do with DHCP. DHCP is there to
make your (the network admin's) life easier; turning it off will just
make more work for you, without any real added security.
the security group would manage the database to ensure that we are
collecting information (such as O/S, IOS version, anti-virus
compliance...)
If you're looking for compliance, you might be better off with a
device that involves a scanning agent. I know there are a few open
source products gearing up for this (PacketFence, Ungoliant, etc) and
also existing commercial options from Cisco, Bradford (Campus
Manager) and others. The latter products require an agent scan of a
machine before it is allowed onto the network. The scan data can be
entered into a database, helping with basic compliance and asset
tracking.
1. once a branch location is staticly addressed, we have a working
inventory of what is out there.
OK, but this has nothing to do with DHCP. In fact, you could easily
enter MAC addresses into your inventory database, and dump that out
into your DHCP server, so that it hands out long-lived IP addresses
to known clients.
2. a more secure environment. no longer can users bring in non-
company owned devices and place them on our production network (which
is already a policy---that isn't policed).
Um... can't they just manually configure their machine with an
address that's on the subnet? While it won't be as simple as just
plugging the device in and acquiring an address, it's not really
going to stop anyone who wants to get on the network.
If non-auto-configuration is good enough for you, just set your DHCP
server to disallow "unknown" clients, and they'll be just as locked
out as they would be with pure manual assignment. As an added bonus,
your DHCP server will log the failed attempts with their MAC address,
so you can hunt down offenders.
3. i can setup automated scripts that check MAC addresses to IP
addresses on the router ARP tables to check for spoofing.
That addresses the security issue somewhat, but has nothing to do
with DHCP. You could use this system with DHCP addresses as well
(and, in fact, DHCP helps you with this, since it hands out addresses
based on MAC address). Of course, there's always MAC spoofing... =)
You're right to want security on your network, but DHCP is not the
evil you need to eliminate. If you're serious about preventing
unauthorized access, you need to look at how to detect and/or prevent
unauthorized access at the MAC level, and enforce policy there. DHCP
is just a tool to help you from having to configure things by hand.
Jason
--
Jason Healy | jhealy@logn.net | http://www.logn.net/
---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
