Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Down with DHCP!!!!

from [Andreas Hell] Network Security [Permanent Link]
Subject: Re: Down with DHCP!!!!
Date: Wed, 22 Feb 2006 08:11:06 +0100 
Am Sonntag, den 19.02.2006, 10:34 +0530 schrieb Neil:

gigabit@satx.rr.com wrote:

ok, some background...

i have transfered from network engineering to the information security 
group for my company, which is mid-sized with about 2000 employees 
across 90 locations (financial).

the lessons learned from being in network engineering is that they are 
first and foremost concerned with maintaining the production 
environment.  the management processes/procedures are completely 
disregarded if it is deemed necessary to "get something done".

as i try to build out a security plan for how to deal with 
servers/routers/end users, i keep coming to the conclusion that it will 
be meaningless unless control can be taken over what the other 
department is doing (network engineering).  the one commonality for all 
devices on the network is that they have an IP address.

i would like to propose to management that dhcp should be disabled, so 
as to force the building of a database that will hold all of the 
information needed to begin a comprehensive security policy.  the 
security group would manage the database to ensure that we are 
collecting information (such as O/S, IOS version, anti-virus 
compliance...)

i realize this will incur more work for those poor souls that have to 
deploy hardware, but i believe the benefits out-weigh the costs.  the 
benefits i see:

1.  once a branch location is staticly addressed, we have a working 
inventory of what is out there.

2.  a more secure environment.  no longer can users bring in non-
company owned devices and place them on our production network (which 
is already a policy---that isn't policed).

3.  i can setup automated scripts that check MAC addresses to IP 
addresses on the router ARP tables to check for spoofing.

our branch locations don't change very often.....some are still on 
token ring for god's sake, so i don't really see that much more 
workload.

Has anyone else dropped DHCP as a management/compliance decision?

thanks.


Well, let me start by saying that dropping DHCP is a teeny tiny step 
towards making your network more secure: every device that can use DHCP 
probably has an option to put in manual IPs...so they pick one and 
assign it, and they're in all the same.

On the other hand, yes, with static IPs, you could assign various 
permissions by IP, which you couldn't do with DHCP if the addresses 
changed.  Of course, assigning by IP is about as secure as assigning by 
hostname (in the sense that if someone could take down the original 
owner, they could step into that spot and get all associated permissions).



Just a 2p thought:


My suggestion would be to use DHCP with MAC-based reservations.  


Isn't it right that any wannebe hacksor can easily spoof his/her
mac-address to let it look like an "authorised" one? And wouldn't this
mean that the only barrier to get an IP is to choose/find a correct
mac-address, which might be done by sniffing the network or something
alike? If so, giving away Ips based on mac-addresses doesn't look too
secure to me, does it?

Greets, Andreas


This 
would be like static addresses, except that you could manage it 
centrally (allowing you to change an IP address if you had need for 
whatever reason), and gives you the convenience of DHCP for visitors or 
whatnot.  You could also probably rig something to check every IP 
against its reservation, which would let you see if you had any 
intruders on the network whose computers automatically grabbed an IP 
(since everything is automatic these days...).

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


-- 
Andreas Hell <anhell@gmx.de>


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Senior Mgmt requesting their CSO to leave, Mark Teicher
Next by Date:  PC Anywhere and security, martin samson
Previous by Thread:  Re: Down with DHCP!!!!, Neil
Next by Thread:  Re: Down with DHCP!!!!, Gunnar Wolf
Indexes:  [Date] [Thread] [Top] [All Lists]