Hey there,
First of all, I applaud your effort and motivation to bring additional security
to your networks. You are definitely taking a huge leap in the right direction
as far as thinking outside the box for innovative ideas and not settling for
status quo. However, with that said, I think that disabling DHCP will not be
the best thing to do for a few reasons:
1. Managing static address pools is a nightmare, unless you have a
full-time resource to do it. I remember ?the old days,? and that is a fire that
can easily out of control. It leads to people forgetting to tell you when they
used one, etc, etc, and before you know it your inventory is useless.
2. You will become the enemy of your network team. If they have an extra
step to take, and always have to come to you for an address (or have to tell
you each time they use one,) that will get old quick and you don?t want to
loose your friends on the network side.
3. Even with your best efforts, assigning static addresses will not insure
that someone who knows what they are doing cannot figure out your addressing
scheme and assign themselves an open address. Yes, you can control this through
strict ACLs that only allow the addresses that you assigned to help, but that
is even more management on your part.
4. What about some of the benefits that you will be loosing from your DHCP
services? What if you want to assign a new IP addresses for your DNS server for
example, it may get as bad as you having to go manually change every entry.
Additionally, you will loose some flexibility in the logging capabilities that
can help in forensic cases. If you set up your environment right, you should be
able to match a login name with an assigned IP, which helps a lot in
environments where people roam around a lot. This also helps in tracking down
systems with viruses, etc to poll your DHCP server to see exactly who has that
IP address, whereas a static address list that is out of date may seriously
hurt you.
These are just a few of the random things to think about when looking at
changing from a DHCP environment to a static one. I have been on both sides of
the fence in my career, and hands-down prefer the DHCP method. Another thing to
think about would be looking at securing your DHCP services more, have you
looked at general best practices, or perhaps what companies like Metainfo are
doing in the Secure DHCP market? For instance, I know that a lot of vendors are
specifically harnessing DHCP to assist with NAC implementations, which will
take care of those AV/Patch levels and those users who bring in their home PC
to plug into the network.
Anyways, I will stop rambling on, that is just my .02 though. The bottom line
once again though is that you look to be on the right track of becoming an
extremely valuable security professional. Don?t ever stop thinking of new and
innovative ways to increase security.
---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
