Re: Down with DHCP!!!!




i would like to propose to management that dhcp should be disabled, so
as to force the building of a database that will hold all of the
information needed to begin a comprehensive security policy.

As a SysAdmin who has always worked in environments where there is a strict separation between Network Engineering and Systems Administration
groups, I'm quite ignorant about such things as DHCP, routers, and Network Engineering in general.

With that caveat: The Networking Group here administers DHCP for most desktop machines and some other computers, and they also administer DNS for the most part. It seems to me that within Network Engineering there must be a database someplace of (MAC Address) <==> (Hostname) mappings,
such that, while a given DHCP-assigned system might get different IP addresses as it's shut down and powered up, it always has the same hostname. That's how it seems to work here, and for all I know this interface between DHCP and DNS might be part of some standard protocol.

If you can rely on a (MAC Addr) <==> (Hostname) mapping being maintained in realtime as IP addresses change via DHCP, wouldn't that
allow you to construct security policies per system?

In more general terms of course (and I'm willing to assert this claim
even given my relative ignorance about Network Engineering) if your organization believes that it is possible to have an effective "information security group" that lives in a vacuum isolated from the
Network Engineering and Systems Administration departments, then your organization is run by idiots. Information Security IS IMPLEMENTED
through the Network Engineering, Systems Administration, and Desktop Support (if that's a separate group) departments. I think that it's appropriate for medium-to-large organizations to have an "information security group" because security is such an important function and is often at odds with "getting things done". but that group must be able to exercise some authority within the rest of IT.

Having said that, no entrenched "power that is" (I guess that's how you form the singular case of "powers that be") takes kindly to being told what to do by some upstart group. I think it's better to try and fit in with what's already there whenever possible, it's much better politically
to call for policy changes only when absolutely necessary.

Hence, explore (MAC Addr) <==> (Hostname) mapping before crying "Down with DHCP". Really try to make that (or some other work-around) work, and be sure to be prominently *SEEN* to be trying to do so, before calling for the big changes if you must.

Yours,

Kurt Reimer

ok, some background...

i have transfered from network engineering to the information security
group for my company, which is mid-sized with about 2000 employees
across 90 locations (financial).

the lessons learned from being in network engineering is that they are
first and foremost concerned with maintaining the production
environment. the management processes/procedures are completely
disregarded if it is deemed necessary to "get something done".

as i try to build out a security plan for how to deal with
servers/routers/end users, i keep coming to the conclusion that it will
be meaningless unless control can be taken over what the other
department is doing (network engineering). the one commonality for all
devices on the network is that they have an IP address.

i would like to propose to management that dhcp should be disabled, so
as to force the building of a database that will hold all of the
information needed to begin a comprehensive security policy. the
security group would manage the database to ensure that we are
collecting information (such as O/S, IOS version, anti-virus
compliance...)

i realize this will incur more work for those poor souls that have to
deploy hardware, but i believe the benefits out-weigh the costs. the
benefits i see:

1. once a branch location is staticly addressed, we have a working
inventory of what is out there.

2. a more secure environment. no longer can users bring in non-
company owned devices and place them on our production network (which
is already a policy---that isn't policed).

3. i can setup automated scripts that check MAC addresses to IP
addresses on the router ARP tables to check for spoofing.

our branch locations don't change very often.....some are still on
token ring for god's sake, so i don't really see that much more
workload.

Has anyone else dropped DHCP as a management/compliance decision?

thanks.

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------



Relevant Pages

  • RE: Down with DHCP!!!!
    ... Managing/monitoring the DHCP pools as assignments yourself ... -Other management tools as in Asset ... Security Administrator ... Network Operations-ICW Group ...
    (Security-Basics)
  • RE: Down with DHCP!!!!
    ... While I fully understand why you would consider disabling DHCP, ... I would recommend something to automatically inventory all of the ... Security, HP Master ASE, CCNA, Security+ ... The Norwich University program offers unparalleled Infosec management ...
    (Security-Basics)
  • Down with DHCP!!!!
    ... i have transfered from network engineering to the information security ... i would like to propose to management that dhcp should be disabled, ... Computer Emergency Response Teams, and Digital Investigations. ...
    (Security-Basics)
  • Re: Down with DHCP!!!!
    ... We all know that security through obfuscation is no security ... i have transfered from network engineering to the information security ... i would like to propose to management that dhcp should be disabled, ... Computer Emergency Response Teams, and Digital Investigations. ...
    (Security-Basics)
  • Re: Down with DHCP!!!!
    ... Another point to note is that DHCP doesn't inherantly mean that you're ... of non-authorised equipment being attached to the network. ... them and have worked out if they represent a risk to the security of your ... The centralised management interface of DHCP ...
    (Security-Basics)