Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Down with DHCP!!!!

from [Chris Barber] Network Security [Permanent Link]
Subject: Re: Down with DHCP!!!!
Date: Thu, 23 Feb 2006 11:40:18 -0700 
I am going to get right to the point.  I have been doing security for
several years in both DoD and Public sector.  As a Security
professional you NEED Management on your side, and you want the
Network, Server, and PC folks to be friends, not enemies.  It is your
job to create policy, and verify that compliance is adhered to.  To
increase the work load on the Network, PC, and/or the server staff
will not makes friends, and may put you out of the Graces of
Management.

Work Smarter, get the PC folks, the Network Staff and the Server
andmins involved, in finding out the best way to get a grip on the
issue at hand.

In the eyes of most managers, and worer bees Security is the bad guy,
spending money and creating work for everyone.

I have found that working with Operational Staff makes Security easier
on everyone.  Now that does not mean that you have to relax security
because it creates work, but if you ease into itand get the buy in
from Network and Server, and PC admins then with them on YOUR side
work with Management to get Policy, procedure, or what have you, in
place you get what you want (A Secure Environment), and everyone plays
nice in the sand box.

Stepping off the soapbox...

Chris.

On 2/17/06, gigabit@satx.rr.com <gigabit@satx.rr.com> wrote:

ok, some background...

i have transfered from network engineering to the information security
group for my company, which is mid-sized with about 2000 employees
across 90 locations (financial).

the lessons learned from being in network engineering is that they are
first and foremost concerned with maintaining the production
environment.  the management processes/procedures are completely
disregarded if it is deemed necessary to "get something done".

as i try to build out a security plan for how to deal with
servers/routers/end users, i keep coming to the conclusion that it will
be meaningless unless control can be taken over what the other
department is doing (network engineering).  the one commonality for all
devices on the network is that they have an IP address.

i would like to propose to management that dhcp should be disabled, so
as to force the building of a database that will hold all of the
information needed to begin a comprehensive security policy.  the
security group would manage the database to ensure that we are
collecting information (such as O/S, IOS version, anti-virus
compliance...)

i realize this will incur more work for those poor souls that have to
deploy hardware, but i believe the benefits out-weigh the costs.  the
benefits i see:

1.  once a branch location is staticly addressed, we have a working
inventory of what is out there.

2.  a more secure environment.  no longer can users bring in non-
company owned devices and place them on our production network (which
is already a policy---that isn't policed).

3.  i can setup automated scripts that check MAC addresses to IP
addresses on the router ARP tables to check for spoofing.

our branch locations don't change very often.....some are still on
token ring for god's sake, so i don't really see that much more
workload.

Has anyone else dropped DHCP as a management/compliance decision?

thanks.

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------




---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Auditing ftp users and mapped network drive users in Active Directory and NT4 Domains, Alexander Bolante
Next by Date:  Re: PC Anywhere and security, Sap .
Previous by Thread:  Re: Down with DHCP!!!!, tandernam
Next by Thread:  RE: Down with DHCP!!!!, Makousky, Steve C
Indexes:  [Date] [Thread] [Top] [All Lists]