DHCP is not a security protocol. In fact, DHCP is a security hole. DHCP broadcasts immediately tell any listener what is the shape of your network (network mask, gateway, etc). ARP further donates to the trojan's battle plan by informing it of specific targets.
It frustrates me a lot when I hear people thinking that software that helps a trojan do its job can be configured to help security. It's the opposite.
Which commercial firewalls support mapping of mac addresses to IP addresses? ISA Server doesn't. Older versions of Checkpoint don't seem to support this either.
Any decent OS should let you set static ARP entries. Checkpoint on SPLAT and Windows both support this using the underlying OS' tools. Similarly ISA will use the ARP table of the underlying windows server OS, which has the arp -s command for adding your own static entries.
It isn't tidy, but then commercial firewalls are more about controlling data flow between networks rather than controlling physical network access. That's what 802.1x is for.
While it's true that DHCP is not a security protocol, any but the smallest networks would be unmanageable without DHCP.
cu
59cobalt
Which weren't too static on some Windows versions.
I disagree, yes you can easier manage your clients in a network via DHCP but I prefer static ip's eversince. But I feel a lot of upcoming changes with IPv6.
cheers
Oh, but it would be so incredibly nice to have a firewall integrate this capability in cleanly. You have to make a static IP definition in the firewall anyway, so it's a handy place to identify the MAC. Knowing that someone is impersonating one of your trusted IPs is certainly within the domain of what a firewall could/should tell you.
As you say, using the OS for this isn't tidy. You have two security layers - firewall and OS - orthogonal to each other and not integrated/coordinated.
Exactly right. DHCP's main purpose in life is to help machines *that play by the rules* to share a limited pool of IPs. In this role it performs well.
DHCP's role is not to make sure that other PCs don't use an IP that it wants to manage. A hacker doesn't play by the rules, and for that person DHCP is one of his tools.
Ever tried changing a significant portion of addresses on a network with a couple dozen hosts or more? Or renumbering the network? Besides, DHCP is not just for assigning IP addresses. You actually want to walk to every single host in your network every time a name server changes? Or a time server? I beg to differ.
Repeating myself: without DHCP all but the smallest networks are not manageable.
cu
59cobalt
Yes, a couple /22 and bigger ones as well. Well planned, well performed not DHCP involved.
Sure, but it's also easy to ie. renumber networks without DHCP. Until the migration is done I keep usually the new and old gateway, dns IP and nat it to the new network until every client has the new config. Besides that there are multiple ways to do something like that, I'm not saying you're wrong I just said I prefer static IP's in my networks, nothing else.
I still disagree.
cheers
MAC address isn't the best solution for that. If you need to know an individual host in your rules is the physical host you think it is, use some form of authentication in your firewall rules (since you mention checkpoint, its client authentication solution can be tie a client to a single source IP address if you want)
relying on MAC addresses will only work for networks directly attached to your firewall - as soon as you pass a router you lose the host's MAC address. Any moderately sized network will need to use something else on the firewall for host authentication.
You're a victim of cynicism if you believe that they don't help keep malware off networks. Maybe you don't understand that keeping networks protected requires multiple methods?
At no point have I stated that "DHCP IS A SECURITY" anything.
You're kidding, right?
I manage a couple /21 and /22 networks as well as 80+ /24 networks. Building them properly, with DHCP and reservations, enables them to be managed significantly easier.
Yes, it "Can" be done with static IP's, but, except for some non-office type hardware, it's silly to go to that expense and the additional maintenance costs to maintain it are just plan stupid.
I can remotely convert a /22 network, without being on-site, and have it come back up without a problem - it's significantly harder if everything has Static IP's.
You are quoting me, but I didn't write the last line you replied to.
No why?
I agreed it is easier to manage, but also easier to exploit.
Nope, tell me why. I did and do it for years this way and it works very well.
Nope, thats just not true. I also don't need on the site, this why HP has ILO, or SUN ILOM etc.
cheers
Ah yeah, that is the reason why we don't have incidents anymore, cool I can retire since everything is now save...
cheers
Our experiences differ.
Totally, but that happens.
cheers
It isn't true that changing the configuration locally on a number of hosts is significantly harder than changing a couple lines in one configuration file on one host? IBTD.
In their clients? IBTD.
cu
59cobaltCabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.