[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: DHCP

Well here at WPI, we have to register each and every MAC address that we
wish to use on campus.  If your MAC address isn't registered, you get no
network.  It works the same way with wireless.  And to the best of my
knowledge, DHCP is used.

-----------------------------------------
Chuck Haines			
GDC Systems Administrator	
Infinity Complex Developer	
WPILA Lab Manager		
-----------------------------------------
AIM: CyberGrex
ICQ: 3707881
Yahoo: CyberGrex_27
Cell: (410) 610-6343.
-----------------------------------------
"Geek by nature, Linux by choice."



-----Original Message-----
From: Jones, Steven [mailto:sjones08@eds.com] 
Sent: Monday, October 28, 2002 8:06 PM
To: 'Stewart James'; debian-security@lists.debian.org
Subject: RE: DHCP


ik campus....

ik

ik

so zilch physical security........

you didnt say this in your earlier post, this has severe security
implications, in fact Id suggest you'd be a danger to the internet....

I'd suggest a letter to the ppl that want this and tell them of the
severe secuity implications of what they want.

you'd be a hackers/spammers dream.......sit in the carpark with a laptop
and wi-fi and spam the world.....

cant use static mapping of IPs to MACs.....to many unknown MACs, well
you can....

request each person registers thier machine with the helldesk and gets a
static IP given out locked to the MAC address they provide. Run arpwatch
to look for illegal connections....

We are trialing wi-fi city wide, the wi-fi lan is behind a firewall and
are blocking port 25, then opening up ports as requested based on
merits.

DHCP is the least of your worries.......

This is not really a debian security issue but a general security issue,
I would suggest you get a security policy written and get it agreed with
"management". its your best set of defences from getting screwed over
when something goes wrong. Also writing this and getting it agreed will
give you time to research and get up to speed.

Also the DHCP server should have a firewall of its own at the very
least.

It suggests careful planning is needed before implimentation, possibly a
campus wide audit after a policy is agreed (you audit against the
policy)

regards

Im writing a policy myself and its taking a while.it will be posted on
the Internet once done for free use and comment. The debian security
howto is good, if you have not read it please do.

I'd split campus network up into a trusted and untrusted LAN )incl wi-fi
network), the untrusted LAN should be treated as the Internet ie a
danger zone and firewalled...

i could go on and on......i suspect you have a lot to do......

regards

Steven



-----Original Message-----
From: Stewart James [mailto:stewart.james@vu.edu.au]
Sent: Tuesday, 29 October 2002 12:53 
To: debian-security@lists.debian.org
Subject: RE: DHCP



I had the very same thoughts, being a university you can imagine what
physical security is like, plus management wants to give students the
ability to walk on campus and plugin, plus start wireless services too.

>From what people have sent back from my question, I don;t think we will
be any worse of security wise as far as moving to DHCP will go.

Thanks for the various responses, if someone still thinks of a big issue
I would love to hear it.

Cheers,

Stewart

On Tue, 29 Oct 2002, Jones, Steven wrote:

> Date: Tue, 29 Oct 2002 12:19:06 +1300
> From: "Jones, Steven" <sjones08@eds.com>
> To: 'Stewart James' <stewart.james@vu.edu.au>,
>      debian-security@lists.debian.org
> Subject: RE: DHCP
> Resent-Date: Mon, 28 Oct 2002 17:24:16 -0600 (CST)
> Resent-From: debian-security@lists.debian.org
>
> u could set dhcp to give out a fixed address dependant on a mac 
> address, this would stop just anybody plugging a box into a network, 
> if your
network
> is physically secure then thats not a worry. (a cat5 jack in reception

> or some other public place is dodgy)
>
> Otherwise dhcp makes life easier...its the only way to manage a decent
sized
> network.
>
> :)
>


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
Reply to: