RE: Down with DHCP!!!!



While I fully understand why you would consider disabling DHCP, I see one
major problem with number 2 below. Just using static addresses will not
keep users from bringing in their own equipment. If a user knows much, they
can determine the proper IP addresses for the network and assign a static
address. So, you in the end, you have added more of a workload on the
network staff, but you really have not done much for security.

I agree with the idea of inventorying, equipment, but trying to manually
inventory each machine is going to be a nightmare for a network of that
size. I would recommend something to automatically inventory all of the
equipment. Other automated tools could be used to ensure all machines are
fully patched and secured.

The idea of working smarter, not harder, definitely applies in a situation
like this.

Hope this helps.

Steve Fletcher
MCSE (NT4/Win2k), MCSE: Security (Win2k), HP Master ASE, CCNA, Security+
Email: safletcher@xxxxxxxxxxxxx
Web: http://safletcher.home.insightbb.com


-----Original Message-----
From: gigabit@xxxxxxxxxxx [mailto:gigabit@xxxxxxxxxxx]
Sent: Friday, February 17, 2006 12:31 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Down with DHCP!!!!

i would like to propose to management that dhcp should be disabled, so
as to force the building of a database that will hold all of the
information needed to begin a comprehensive security policy. the
security group would manage the database to ensure that we are
collecting information (such as O/S, IOS version, anti-virus
compliance...)

i realize this will incur more work for those poor souls that have to
deploy hardware, but i believe the benefits out-weigh the costs. the
benefits i see:

1. once a branch location is staticly addressed, we have a working
inventory of what is out there.

2. a more secure environment. no longer can users bring in non-
company owned devices and place them on our production network (which
is already a policy---that isn't policed).

3. i can setup automated scripts that check MAC addresses to IP
addresses on the router ARP tables to check for spoofing.

our branch locations don't change very often.....some are still on
token ring for god's sake, so i don't really see that much more
workload.

Has anyone else dropped DHCP as a management/compliance decision?



---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------



Relevant Pages

  • RE: Down with DHCP!!!!
    ... Managing/monitoring the DHCP pools as assignments yourself ... -Other management tools as in Asset ... Security Administrator ... Network Operations-ICW Group ...
    (Security-Basics)
  • Re: Down with DHCP!!!!
    ... information needed to begin a comprehensive security policy. ... As a SysAdmin who has always worked in environments where there is a strict separation between Network Engineering and Systems Administration ... The Networking Group here administers DHCP for most desktop machines and some other computers, and they also administer DNS for the most part. ... i would like to propose to management that dhcp should be disabled, ...
    (Security-Basics)
  • Re: Down with DHCP!!!!
    ... Another point to note is that DHCP doesn't inherantly mean that you're ... of non-authorised equipment being attached to the network. ... them and have worked out if they represent a risk to the security of your ... The centralised management interface of DHCP ...
    (Security-Basics)
  • RE: CISSP-ISSMP
    ... management say "that's nice", and move on. ... education, certification, experience, know-how, abilities, and ... Many 'security jobs' are nothing shy than that of an overly glorified ... Download FREE whitepaper on how a managed service ...
    (Pen-Test)
  • RE: security not a big priority?
    ... But I have found that upper management will only ... and push out the changes; management has to have this information to ... Network Security Engineer ... Network team with Project Management tasks. ...
    (Security-Basics)