Re: Down with DHCP!!!!

I say bad idea. There are other ways (I think) to
solve the issue without creating friction with other
groups. As soon as you go and mandate something that
is going to add work for other people you're going to
become an enemy and they're going to try to bypass you
at every opportunity. With that many users I think
going to staic IP's would be a management nightmare
(speaking as someone who managed a static IP network
of 225 users).

Why don't you use MAC addresses for your inventory? Or
use DNS? You've got the MAC address to check to make
sure that the machine is who it says it is. Use the
name to hav a more friendly way of inventorying.

As for preventing someone from putting a machine on
the network, what's to stop them from giving their
machine a static IP on your network? If you use MAC
addresses there are a multitude of tools available to
prevent users from adding machines to the network.

Security is always a compromise; if you don't
compromise in certain places you're going to spend
more of your time policing the people who are trying
to get around your less important security measures
and less time actually keeping the really important
stuff secure.

Kenton

--- gigabit@xxxxxxxxxxx wrote:

ok, some background...

i have transfered from network engineering to the
information security
group for my company, which is mid-sized with about
2000 employees
across 90 locations (financial).

the lessons learned from being in network
engineering is that they are
first and foremost concerned with maintaining the
production
environment. the management processes/procedures
are completely
disregarded if it is deemed necessary to "get
something done".

as i try to build out a security plan for how to
deal with
servers/routers/end users, i keep coming to the
conclusion that it will
be meaningless unless control can be taken over what
the other
department is doing (network engineering). the one
commonality for all
devices on the network is that they have an IP
address.

i would like to propose to management that dhcp
should be disabled, so
as to force the building of a database that will
hold all of the
information needed to begin a comprehensive security
policy. the
security group would manage the database to ensure
that we are
collecting information (such as O/S, IOS version,
anti-virus
compliance...)

i realize this will incur more work for those poor
souls that have to
deploy hardware, but i believe the benefits
out-weigh the costs. the
benefits i see:

1. once a branch location is staticly addressed, we
have a working
inventory of what is out there.

2. a more secure environment. no longer can users
bring in non-
company owned devices and place them on our
production network (which
is already a policy---that isn't policed).

3. i can setup automated scripts that check MAC
addresses to IP
addresses on the router ARP tables to check for
spoofing.

our branch locations don't change very
often.....some are still on
token ring for god's sake, so i don't really see
that much more
workload.

Has anyone else dropped DHCP as a
management/compliance decision?

thanks.


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE -
ONLINE
The Norwich University program offers unparalleled
Infosec management
education and the case study affords you unmatched
consulting experience.
Tailor your education to your own professional goals
with degree
customizations including Emergency Management,
Business Continuity Planning,
Computer Emergency Response Teams, and Digital
Investigations.

http://www.msia.norwich.edu/secfocus

---------------------------------------------------------------------------









__________________________________________________________
Find your next car at http://autos.yahoo.ca

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Relevant Pages

  • RE: Down with DHCP!!!!
    ... Managing/monitoring the DHCP pools as assignments yourself ... -Other management tools as in Asset ... Security Administrator ... Network Operations-ICW Group ...
    (Security-Basics)
  • RE: security not a big priority?
    ... But I have found that upper management will only ... and push out the changes; management has to have this information to ... Network Security Engineer ... Network team with Project Management tasks. ...
    (Security-Basics)
  • Re: Down with DHCP!!!!
    ... "You are trying to use DHCP to fix a management problem". ... then allows for the beginings of security. ... The Norwich University program offers unparalleled Infosec management ... Computer Emergency Response Teams, and Digital Investigations. ...
    (Security-Basics)
  • RE: Terminal Services Auditing?
    ... displaying them in 'Terminal Services Manager' snap-in. ... Better Management for Network Security ...
    (Focus-Microsoft)
  • Re: Log management software for Windows
    ... Log management software for Windows ... I want to retain security and event log data on a Windows machine that is ... for example: the IDS log from my firewall. ... Better Management for Network Security ...
    (Security-Basics)