[fw-wiz] Re: DHCP in a corporate MS environment - Security Risk?
From: Eye Am (eyeam@optonline.net)
Date: 02/24/03
- Previous message: SimonChan@lifeisgreat.com.sg: "Re: [fw-wiz] VPN Gateway And Nat"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Eye Am <eyeam@optonline.net> To: firewall-wizards@honor.icsalabs.com Date: Sun, 23 Feb 2003 22:01:46 -0500
----- Original Message -----
From: "Eye Am" <eyeam@optonline.net>
To: <firewall-wizards@honor.icsalabs.com>
Sent: Monday, January 20, 2003 11:06 PM
Subject: DHCP in a corporate MS environment - Security Risk?
I'd like to thank everyone for their responses.
Just a note that we did stick with DHCP reservations. There are some nice
benefits since we combined this with more organized addressing schemes.
We have broken up our private address space in blocks by server type and
even physical location. It makes firewall reporting mich easier because I
can report on a range of IP addies and have all FTP or SQL servers, or all
Programming computers' activities on one report.
I suppose eventually we will need to revisit if we run out of addies for
servers in one type or the other, that's no problem.
Chuck
> I'm looking for opinions, experiences and references on the subject.
Downed
> and searched the entire Firewall-Wizards list. Found little discussion
> either
> way. This may be a bit OT for the board except that some security may well
> be set at the public-facing firewall as well as risks may be apparent
there.
>
> Our corporate network is reasonably well set up with private and public
DNS,
> no wireless IP connections and blocking all RFC1918 traffic in or out of
the
> public side. Some security consultants highly recommended static
addressing
> across the board for security and control reasons - i.e.. access-list
> control and the potential for compromise of the DHCP database. I have
> searched google etc and found a few articles and whitepapers.
>
> We have historically configured static IPs on servers, routers, switches
and
> all outside-facing devices. We do have several multi-homed devices with
> static, public IP and a second interface facing inside (these are being
> migrated to DMZ where multi-homing will no longer be necessary.) However
> this does get to be a pain when making across-the-board changes.
> Documentation is a bear as well since we are a small company with little
> resources available to keep detailed network drawings up-to-date.
>
> Lately we are leaning towards regular lease-based DHCP for workstations
and
> reserved DHCP addresses on servers on the private side. This will, of
> course, make life much easier when making widespread changes or additions
> such as adding secondary DNS. I have been wavering back and forth.
>
> Is there any experience with compromised DHCP databases in MS
environments?
> Any strong opinions or reasoning pro or con the use of DHCP? Any
> recommendations for shoring up the service and it's traffic?
>
> Much Appreciated In Advance
> Chuck
>
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Next message: Christopher Lee: "Re: [fw-wiz] VPN Gateway And Nat"
- Previous message: SimonChan@lifeisgreat.com.sg: "Re: [fw-wiz] VPN Gateway And Nat"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
