If you have to go down that route, couldn't you achieve the same with DHCP
reservations (and by not giving out addresses to any MACs that aren't in the
reservation table)? That would probably go down better with the desktop support
engineers, because they wouldn't have to do any extra configuration on machines
that have been re-imaged. It also would also keep the control more central.
Personally, I don't think removing DHCP will improve security much. There are
much better ways to do it, for example ensuring that there is only 1 data
connection for each legitimate PC, and if the access switches have the
functionality, restricting the number of MACs permitted on a "user" port to one
(to prevent people daisy-chaining hubs). I did a similar thing in my last job,
and it proved very effective, not least because violations showed in the logs,
offending ports were automatically disabled, and the user had to sheepishly log
a helpdesk call to get their port re-enabled by networks support.
I wouldn't be happy implementing a DHCP-free solution on the grounds of
improved security, because I think it would be a lot of work (initially and
ongoing) and not effective enough to justify the effort.
Foeh
---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
