Re: Down with DHCP!!!!

Actually I supported a network of 2000 systems where the site required
static IPs.

1) your assumption about security is flawed. People can easily take their
assigned desktop IP and either guess a second one (and hope it's not in
use) or unplug their assigned system and swap.

2) data integrity is an impossible target. Without data integrity, you've
bought yourself nothing. Getting technicians to keep up with data will
get lost to expediency of the immediate problem at hand, most often:
connectivity.

A better solution is to implement a switching infrastructure that can
handle mac-based port security. It's not perfect, as MACs can be spoofed
by someone knowledgable. However, you have your choices of ports that
auto-disable themselves -- which forces the user to contact IT and get
into trouble, block traffic only while an unauthorized MAC is on the port,
or you can set up a RADIUS server with a database of authorized MAC
addresses that allows your users to move equipment (but only that
equipment authorized by IT).

Static IP addresses are no more secure. It's smoke and mirrors.

Just some thoughts after three years of dealing with the issue you're
wanting to tackle.

Sincerely,

Bryan S. Sampsel
LibertyActivist.org




---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Relevant Pages

  • Re: Its War!
    ... they know which port is doing what. ... Once they have that MAC address, ... security seriously, they have tied your MAC address to you. ... log into the router for Internet, the mere fact that you can get ...
    (microsoft.public.windowsxp.general)
  • RE: How to find a changing IP on ethernet network
    ... called "port security". ... tell it how many MAC ... to issue an SMTP trap to your Network Management ...
    (Security-Basics)
  • RE: rogue IP address
    ... Sorry if this seems like a dumb question, but you mentioned a "port to IP" ... Does your switch have a "port to MAC address table"? ... prospectus based upon the core principle concepts of security. ...
    (Security-Basics)
  • Re: Down with DHCP!!!!
    ... valuable for security control purpouses and I've always found that there's ... statically assigned DHCP addresses, port security, and close MAC and IP ... Computer Emergency Response Teams, and Digital Investigations. ...
    (Security-Basics)
  • Re: Router incompatibility with Vista
    ... You can't port forward unless you do fix the machines IP, ... Well, all three of my routers are bargain basement routers, and all ... portforwarding must have static ips or the router must remember which ip ... on the mac of the computer with a previously different ip. ...
    (uk.telecom.broadband)