Re: Re: Re: RE: Down with DHCP!!!!



Read RFC 2131 for some insight into this protocol.

"A host should not act as a DHCP server unless explicitly configured to do so by a system administrator. "

"7. Security Considerations

[SNIP] Therefore, DHCP in its current form is quite insecure.

Unauthorized DHCP servers may be easily set up. Such servers can then send false and potentially disruptive information to clients such as incorrect or duplicate IP addresses, incorrect routing information (including spoof routers, etc.), incorrect domain nameserver addresses (such as spoof nameservers), and so on. Clearly, once this seed information is in place, an attacker can further compromise affected systems.

Malicious DHCP clients could masquerade as legitimate clients and retrieve information intended for those legitimate clients. Where dynamic allocation of resources is used, a malicious client could claim all resources for itself, thereby denying resources to legitimate clients. "


You decide, but your response didn't address any real issues. Spend an afternoon with perl devising attacks against DHCP from both the rogue client and malicious server perspectives and decide if it has any place on a network you _TRULY_ wish to secure.

DHCP is fine for places where you don't care about security or already have truly secured physical access - otherwise you are providing an attcker with an on/off switch to your network.

DHCP is a security disaster looking for a place to happen. The protocol designers knew it and anyone with an inkling of security knowledge realizes it. If you have managed switches to the desktop, or have the infrastructure to fully deploy 802.1x to *ALL* of the devices on your network, more power to you; but anyone in any environment with those resources doesn't _need_ DHCP.

48 bits of entropy is harder to manage than 32.

My $.02 (given I've spent a bit of time researching the subject)...

-AC

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------



Relevant Pages

  • RE: Windows Log
    ... > EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ... > The Norwich University program offers unparalleled Infosec management ... > education and the case study affords you unmatched consulting experience. ... > Computer Emergency Response Teams, ...
    (Security-Basics)
  • RE: Re: University Degree or CISSP
    ... Subject: Re: Re: University Degree or CISSP ... > And a college education will benefit you until the day you die. ... >> Planning, Computer Emergency Response Teams, and Digital Investigations. ... >> The Norwich University program offers unparalleled Infosec management ...
    (Security-Basics)
  • Re: Securing Blackberries
    ... > EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ... > The Norwich University program offers unparalleled Infosec management ... > Tailor your education to your own professional goals with degree ... > Computer Emergency Response Teams, ...
    (Security-Basics)
  • Re: Windows Log
    ... >> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ... >> The Norwich University program offers unparalleled Infosec management ... >> education and the case study affords you unmatched consulting experience. ... >> Computer Emergency Response Teams, ...
    (Security-Basics)
  • Re: Securing Blackberries
    ... > EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ... > The Norwich University program offers unparalleled Infosec management ... > Tailor your education to your own professional goals with degree ... > Computer Emergency Response Teams, ...
    (Security-Basics)