|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Using DHCP (was RE: IP Spoofing)
Bill_Royds
pch.gc.ca
Sun, 3 Oct 1999 11:01:47 -0400
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Baribault, Gary: "RE: Bogus DHCP server in the network...."
- Previous message: Joseph S D Yao: "Re: Bogus DHCP server in the network...."
- In reply to: TUDOR PANAITESCU: "Bogus DHCP server in the network...."
- Next in thread: Dave Gillett: "Re: Using DHCP (was RE: IP Spoofing)"
- Next in thread: Emiliano Kargieman: "Re: IP Spoofing."
- Reply: Dave Gillett: "Re: Using DHCP (was RE: IP Spoofing)"
What I have found is that there are several kinds of hosts on an IP netwrok.
Those that are dedicated to certain tasks like servers, routers, system control
clients etc. need a static address and can be documented as to services running
on them, accounts allowed on them etc. Others are often desktop machines,
laptops, test machines etc. that may change configuration often, are under
control of naive users. Here is where DHCP allows better control than static
addresses. In a large organization, requiring static IP address assignment means
delegating the task to branch and regional IT support who often do not keep
accurate records. Determining authorization by IP becomes meaningless.
Static IP's complicates firewalls because rules allowing services become
stale, and responsibility for access control to systems becomes a bureaucratic
nightmare. Having an authorizing DHCP server that can give the firewall lists of
IP's that have validated themselves for a service means that the list is only as
old as the DHCP lease.
"Anton J Aylward" <antonthe-wire.com> on 99/10/02 09:54:34
Please respond to "Anton J Aylward" <antonthe-wire.com>
To: firewall-wizardslists.nfr.net
cc: (bcc: Bill Royds/HullOttawa/PCH/CA)
Subject: Using DHCP (was RE: IP Spoofing)
Neither DNS not DHCP is a cure for spoofing, and can themselves be
spoofed as well ;-( But they are key tools and properly configured can
support the evidence of logs in tracing problems and intrusions.
Some sites want accountability, that is a deterministic identification of
an IP address with a host. This can be strength or weakness, in my
opinion, and I've always favoured it when possible. But I'd like to know
what other think.
DHCP has improved, in that it can now integrate with DNS, which was always
my greatest complaint about it. Like DNS it can be strapped down, binding
MAC addresses to IP addresses. Of course relayers confuse this somewhat.
(Just as proxy ARP on some firewalls can)
which of course interact with hardware (e.g. switching hubs) and network
layout. I'd like to know what other people have found effective and what
problems there may be. Can those in the know guide the rest of us away
from the jagged rocks of this kind of implementation?
Anton Aylward
System Integrity
ajasi.on.ca
- Next message: Baribault, Gary: "RE: Bogus DHCP server in the network...."
- Previous message: Joseph S D Yao: "Re: Bogus DHCP server in the network...."
- In reply to: TUDOR PANAITESCU: "Bogus DHCP server in the network...."
- Next in thread: Dave Gillett: "Re: Using DHCP (was RE: IP Spoofing)"
- Next in thread: Emiliano Kargieman: "Re: IP Spoofing."
- Reply: Dave Gillett: "Re: Using DHCP (was RE: IP Spoofing)"
This archive was generated by hypermail 2.0b3 on Tue Oct 05 1999 - 18:35:39 CDT