This in my eyes is more of a physical security issue than a network one.

It might make more sense to make sure that all network drops are allocated
to a machine or network device and any "open" or unused drops are
disconnected from the switches or hubs, thus forcing someone to unplug a
machine to use a drop if they were out to do malicious things. Not a total
solution but will at least make it harder or more obvious to do nasty
things.

Also, make sure your front desk audits who comes in and out of your doors
carefully and train your staff to pay attention and challenge anyone they
don't know doing anything besides using the bathroom (even then...) (i.e.
sign people in, ensure that any guest has an escort, have them sign NDA's
and all that legal stuff, etc. etc.). Plus, anyone who is a "security risk"
(contractors, 3rd parties, etc.) should be only allowed in the office when
others are there during working hours. If you have wands or key cards that
these people use, then limit them to hours you want, making it tough for
those people to get in and out when no one is there.

I've personally never heard of a product for doing a secure DHCP protocol,
unless one was to call a static map of MAC's to ip's "secure", which in that
case you might as well just configure each machine as a static config,
because it's just as much work, as you point out. But not necessarily more
secure. If someone (read: a contractor or whomever) is going to access your
network and do naughty things, it's likely it wouldn't take them long to
learn your IP range, mask, dns, and wins settings and just set themselves up
as a static address anyway, thus nullifying the whole point of statically
mapping with the intention of security.

That's my $0.02,

Colin.S

-----Original Message-----
From: Rob Terry [mailto:RTerryexcel.com]
Sent: Wednesday, June 27, 2001 6:50 AM
To: focus-mssecurityfocus.com
Subject: Secure DHCP...

For unknown reasons, the powers that be have recently got an idea in their
heads that it's not appropriate for a machine to join a network and be able
to receive a DHCP address as normal - the idea that a consultant can come
into our network, plug in his laptop, and get a DHCP address bothers them,
and so they're asking if there's a way to make DHCP a secure protocol.

The only answer I can think of would be a product that had a table of MACs
for each network, and would have to be manually maintained if users moved
from one network to another, or if new machines were introduced to a
network. Maybe something like whatever AT&T/TCI/Home did to their cable
modem networks, where it extends the DHCP lease offer on a condition of
understanding the machines workgroup/domain name would work, but I haven't
seen any software that does that. The first of the two ideas sounds like
even less fun than just assigning everyone static IP's, and the second would
be more acceptable and offer some additional security. Has anyone worked
with this?

Thanks as always,

Rob
  

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]