[fw-wiz] DHCP in a corporate MS environment - Security Risk?

From: Eye Am (eyeam@optonline.net)
Date: 01/21/03


From: Eye Am <eyeam@optonline.net>
To: firewall-wizards@honor.icsalabs.com
Date: Tue Jan 21 18:59:20 2003

I'm looking for opinions, experiences and references on the subject. Downed
and searched the entire Firewall-Wizards list. Found little discussion
either
way. This may be a bit OT for the board except that some security may well
be set at the public-facing firewall as well as risks may be apparent there.

Our corporate network is reasonably well set up with private and public DNS,
no wireless IP connections and blocking all RFC1918 traffic in or out of the
public side. Some security consultants highly recommended static addressing
across the board for security and control reasons - i.e.. access-list
control and the potential for compromise of the DHCP database. I have
searched google etc and found a few articles and whitepapers.

We have historically configured static IPs on servers, routers, switches and
all outside-facing devices. We do have several multi-homed devices with
static, public IP and a second interface facing inside (these are being
migrated to DMZ where multi-homing will no longer be necessary.) However
this does get to be a pain when making across-the-board changes.
Documentation is a bear as well since we are a small company with little
resources available to keep detailed network drawings up-to-date.

Lately we are leaning towards regular lease-based DHCP for workstations and
reserved DHCP addresses on servers on the private side. This will, of
course, make life much easier when making widespread changes or additions
such as adding secondary DNS. I have been wavering back and forth.

Is there any experience with compromised DHCP databases in MS environments?
Any strong opinions or reasoning pro or con the use of DHCP? Any
recommendations for shoring up the service and it's traffic?

Much Appreciated In Advance
Chuck



Relevant Pages

  • Windows 2008 - DHCP - New Production Environment
    ... I will be writing in here to pass on some of my experiences with ... I have to admit so far the migration has been going well, until DHCP, ... few seperate issues importing the DBs ... Importing did not bring over lease information ...
    (microsoft.public.windows.server.general)
  • [fw-wiz] Re: DHCP in a corporate MS environment - Security Risk?
    ... DHCP in a corporate MS environment - Security Risk? ... servers in one type or the other, ... > be set at the public-facing firewall as well as risks may be apparent ...
    (Firewall-Wizards)
  • Re: [fw-wiz] DHCP in a corporate MS environment - Security Risk?
    ... I don't think there would be any real problem with DHCP. ... If you use the Microsoft DHCP software, the database is a SQL-server database ... Static assignment has security problems since you have to keep track manually of ... be set at the public-facing firewall as well as risks may be apparent there. ...
    (Firewall-Wizards)
  • Re: Install Solaris via network - Im stuck.
    ... after that, DHCP should work. ... Casper ... Expressed in this posting are my opinions. ... to opinions held by my employer, Sun Microsystems. ...
    (comp.unix.solaris)
  • Re: RIS is an Enterprise Environment
    ... experiences with using MS DHCP relay agents has been that at best they're ... On a bigger picture, if you're managing DHCP locally now, and plan to move ... Window 2003 Domain with WINS, and some NON-MS DHCP servers ...
    (microsoft.public.windows.server.active_directory)