I see the rationale in what Bryan sayis, but I believe that any kind of
information that we can gather is
valuable for security control purpouses and I've always found that there's
a face on which static
network addressing brings in some security, and this is when applying
monitoring, IDS, log
reviews and SEM. Without a correspondence between the security events and
the systems
they came from, you are really looking at smoke, i.e. not seeing anything.
It all comes down to
how much assurance we can get about the correspondence between a system
and the
IP address it uses, and what's more, the user behind them. Even without a
near-perfect solution until
802.1x can be implemented, to link the user identity to the network
profile of the desktop, there are still
quite many things that can be done to get enough assurance of it to allow
for every day monitoring and
forensic audit purpouses.
I'de recommend 802.1x, but I know first hand that it's implementation on a
LAN environment
is bogged with difficulties at this point in time, so probably the nearest
we can expect to get nowadays are
statically assigned DHCP addresses, port security, and close MAC and IP
spoofing monitoring through
IDS or other tools. In a Ciscoworks environment maybe you could also use
User Tracking to feed
a database of users together with the systems they are logged on, MACs,
VLAN, switch ports, etc. it's
not historical and so, it would require something more to take and save
periodical snapshots, but it
could add to the rest of measures to get a quite reasonable correspondence
between systems, IPs and
user identities.
Regards
------------------------------------
Actually I supported a network of 2000 systems where the site required
static IPs.
1) your assumption about security is flawed. People can easily take their
assigned desktop IP and either guess a second one (and hope it's not in
use) or unplug their assigned system and swap.
2) data integrity is an impossible target. Without data integrity, you've
bought yourself nothing. Getting technicians to keep up with data will
get lost to expediency of the immediate problem at hand, most often:
connectivity.
A better solution is to implement a switching infrastructure that can
handle mac-based port security. It's not perfect, as MACs can be spoofed
by someone knowledgable. However, you have your choices of ports that
auto-disable themselves -- which forces the user to contact IT and get
into trouble, block traffic only while an unauthorized MAC is on the port,
or you can set up a RADIUS server with a database of authorized MAC
addresses that allows your users to move equipment (but only that
equipment authorized by IT).
Static IP addresses are no more secure. It's smoke and mirrors.
Just some thoughts after three years of dealing with the issue you're
wanting to tackle.
Sincerely,
Bryan S. Sampsel
LibertyActivist.org
---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity
Planning,
Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
