RE: [fw-wiz] DHCP in a corporate MS environment - Security Risk?

From: Noonan, Wesley (Wesley_Noonan@bmc.com)
Date: 01/21/03 

From: "Noonan, Wesley" <Wesley_Noonan@bmc.com>
To: "'Eye Am'" <eyeam@optonline.net>, firewall-wizards@honor.icsalabs.com
Date: Tue Jan 21 20:18:17 2003

In my experience, whatever security might have been gained by going with
100% static addresses (and I think this is a very debatable point) was NEVER
worth the hassle and management headache that it created.

Absolutely no doubt in my mind, I have and will continue to use DHCP as much
as I can, provided of course it is technically and logistically feasible. As
for the security and control reasons that you list, DHCP works great for
ACLs when properly implemented with reservations, and as for the database,
the only thing I can think of that one could get is a listing of all the
macs and IP address mappings... but then any time with a sniffer will get
you that anyway.

As for shoring up the service? Back it up regularly. As for the traffic,
again it is negligible. You have bigger fish to fry in this arena than
optimizing DHCP traffic.

HTH

Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+
Senior QA Rep.
BMC Software, Inc.
(713) 918-2412
wnoonan@bmc.com
http://www.bmc.com

> -----Original Message-----
> From: Eye Am [mailto:eyeam@optonline.net]
> Sent: Monday, January 20, 2003 22:06
> To: firewall-wizards@honor.icsalabs.com
> Subject: [fw-wiz] DHCP in a corporate MS environment - Security Risk?
>
> I'm looking for opinions, experiences and references on the subject.
> Downed
> and searched the entire Firewall-Wizards list. Found little discussion
> either
> way. This may be a bit OT for the board except that some security may well
> be set at the public-facing firewall as well as risks may be apparent
> there.
>
> Our corporate network is reasonably well set up with private and public
> DNS,
> no wireless IP connections and blocking all RFC1918 traffic in or out of
> the
> public side. Some security consultants highly recommended static
> addressing
> across the board for security and control reasons - i.e.. access-list
> control and the potential for compromise of the DHCP database. I have
> searched google etc and found a few articles and whitepapers.
>
> We have historically configured static IPs on servers, routers, switches
> and
> all outside-facing devices. We do have several multi-homed devices with
> static, public IP and a second interface facing inside (these are being
> migrated to DMZ where multi-homing will no longer be necessary.) However
> this does get to be a pain when making across-the-board changes.
> Documentation is a bear as well since we are a small company with little
> resources available to keep detailed network drawings up-to-date.
>
> Lately we are leaning towards regular lease-based DHCP for workstations
> and
> reserved DHCP addresses on servers on the private side. This will, of
> course, make life much easier when making widespread changes or additions
> such as adding secondary DNS. I have been wavering back and forth.
>
> Is there any experience with compromised DHCP databases in MS
> environments?
> Any strong opinions or reasoning pro or con the use of DHCP? Any
> recommendations for shoring up the service and it's traffic?
>
> Much Appreciated In Advance
> Chuck
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages