OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archives: RE: Using DHCP (was RE: IP Spoofing)

RE: Using DHCP (was RE: IP Spoofing)

GEIS (Adam.Safiergeis.ge.com)
Tue, 12 Oct 1999 18:01:48 -0400

One more little detail question, how does a DHCP server track MAC/IP address
pairs of traffic traveling on subnets separated from the DHCP server by
routers? Routers I used to work with did not pass ARP tables, but maybe I'm
showing my age.

Looks like I will need to read up on DHCP. It has become very common and
it's a shame to lose opportunities for setting off alarms.

Thanks,
Adam

-----Original Message-----
From: Bill_Roydspch.gc.ca [mailto:Bill_Roydspch.gc.ca]
Sent: Tuesday, October 12, 1999 5:17 PM
To: Safier, Adam (GEIS)
Cc: Dave Gillett; firewall-wizardslists.nfr.net
Subject: RE: Using DHCP (was RE: IP Spoofing)

Most DHCP servers check for availability of the IP range they are assigning
and
scream murder (well, log the MAC address and any other info) for any machine
that tries to use one of its addresses without authorization. Use of
unauthorized IP addresses can be a firing offense in some places ( I worked
at
one where you and boss had to sign a form with this when an IP address was
handed out).
Essentially you are distributing the IP assignment. It really isn't any more
secure than any other IP based rule set, but it allows support staff to give
out
IP addresses without the firewall having to be changed.

"Safier, Adam (GEIS)" <Adam.Safiergeis.ge.com> on 12/10/99 05:04:54 PM

To: Bill Royds/HullOttawa/PCH/To: Bill Royds/HullOttawa/PCH/CAPCH, Dave Gillett
<dgillettdeepforest.org>
cc: firewall-wizardslists.nfr.net
Subject: RE: Using DHCP (was RE: IP Spoofing)

What if I know the IP address range of the special group and hard code it
into my PC? This seems like a fancy way of filtering by IP address only,
with all the old spoofing vulnerabilities. What am I missing that makes
this truly secure?

Adam

-----Original Message-----
From: Bill_Roydspch.gc.ca [mailto:Bill_Roydspch.gc.ca]
Sent: Thursday, October 07, 1999 12:45 PM
To: Dave Gillett
Cc: firewall-wizardslists.nfr.net
Subject: Re: Using DHCP (was RE: IP Spoofing)

Scenario.
I have a firewall rule set that allows use of a particular service for a
limited
range of IP addresses (192.16.24.16/28 say) . I set up my DHCP server to
give
out this range only to users that validate themselves (basically this range
is
for a logical subnet withing a physical segment). So rather than changing
firewall rules each time a member of that secure user set changes, the DHCP
server validates users by things like NT group or challenge response etc.
This
localizes the
security control to the actual owners of secure service.

"Dave Gillett" <dgillettdeepforest.org> on 06/10/99 12:44:13 PM

Please respond to "Dave Gillett" <dgillettdeepforest.org>

To: firewall-wizardslists.nfr.net
cc: (bcc: Bill Royds/HullOttawa/PCH/CA)
Subject: Re: Using DHCP (was RE: IP Spoofing)

On 3 Oct 99, at 11:01, Bill_Roydspch.gc.ca wrote:

> .... Having an authorizing DHCP server that can give the firewall
> lists of IP's that have validated themselves for a service means
> that the list is only as old as the DHCP lease.

  DHCP hands out addresses, but where does it do validation for
*services*? This is news to me!

David G

This archive was generated by hypermail 2.0b3 on Wed Oct 13 1999 - 17:05:47 CDT