Re: Firewalls and PCI



How does a lack of DHCP let you KNOW who is on your network? Absent
DHCP all an attacker with zero knowledge of the network configuration
needs to do is sniff the ARP and other broadcast traffic to determine
the addressing of the network and find themselves an open address or
takeover a used address. Now if you have 802.1x or use IPSEC to limit
communications that is another story entirely and can still function
with DHCP.

A number of clients I visit say that lack of DHCP is a security
measure. If they push back on my claim it would only slow an attacker
down I demonstrate just how easy it is to find an open address, I end
up able to talk to their network inside of 5 minutes.




You have a VERY SMART client!!

This is an architecture I have been pushing for years: Isolate every
individual zone of security with a firewall.

Another issue I see consistently ignored: You NEVER have a clue who is
on any DHCP network. Therefore, anything running DHCP should be on a
physically separate network that is considered only very very slightly
more trusted than the Internet. And needless to say, this network must
be isolated from the rest of the organization's internal network using
a firewall. Also, please note that the same applies to ANYTHING wireless.

I have an organization where I have just implemented a multi-location
network, and each location's LAN is isolated on the WAN via a firewall
(and one or two routers) from the rest of the WAN. Any site with exposed
services has an Internet-facing router, a hardware firewall, DMZ servers,
a hardware firewall, the LAN, and on LAN:
a) a hardware firewall that isolates WAN/LAN servers
b) a hardware firewall that isolates the site from the WAN, and the
WAN router
c) a hardware firewall that isolates a DHCP network.

Finally, EVERY host should have a good (e.g., not M$) firewall. I am
very please with Sophos' end point security product in this respect.

Hope this helps! (And pay attention to your client's good ideas!)

Jon Kibler
--
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
(843) 849-8214





==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.





Relevant Pages

  • Re: Hosts IP address cant be found
    ... a local network and has Internet access through a hardware firewall. ... This address is the default address of my hardware firewall, ... Years ago, when I set up the firewall, I needed to use dhcp ... LAN should I add other local hosts to it? ...
    (Debian-User)
  • Re: networking private and public hosts questions
    ... some systmes in storage to create a test network. ... a WS to the child and attempted to pull an IP from the DHCP server, ...
    (microsoft.public.win2000.networking)
  • Re: A little FYI
    ... > fix for a different problem or end up making the same configuration ... Maybe faulty network equipment, ... > to look at what might interfere with DHCP. ... you were not here as I was trying to get the card to stay ...
    (comp.security.firewalls)
  • Re: Preventing DHCP from allocating IPs
    ... Each segment is physically separate with a Linux ... unknown MAC addresses firstly don't get a DHCP ... >> wants access to your network, they will have to come to you to obtain ...
    (Security-Basics)
  • Cable Connectivity
    ... address for the Network Card with network address 00402B2F688C. ... The DHCP Client service on your computer did not receive a response ... If connection with the network is not established using this APIP ... the DHCP Client service will try to contact the DHCP server ...
    (microsoft.public.windowsxp.general)