[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: DHCP



Actually, we have to create a host name when we register out MAC
addresses.  This allows the same host name to be resolved to our IP.

-----------------------------------------
Chuck Haines			
GDC Systems Administrator	
Infinity Complex Developer	
WPILA Lab Manager		
-----------------------------------------
AIM: CyberGrex
ICQ: 3707881
Yahoo: CyberGrex_27
Cell: (410) 610-6343.
-----------------------------------------
"Geek by nature, Linux by choice."



-----Original Message-----
From: Hanasaki JiJi [mailto:hanasaki@hanaden.com] 
Sent: Monday, October 28, 2002 8:39 PM
To: Haines, Charles Allen
Cc: debian-security@lists.debian.org
Subject: Re: DHCP


Too bad there is no way to do a secure handshake w/ an id/password or 
even SecureID cards.

Any way to make the same host name resolve to your IP irreguardless of 
what IP is allocted to your box by dhcp?

Haines, Charles Allen wrote:
> Well here at WPI, we have to register each and every MAC address that 
> we wish to use on campus.  If your MAC address isn't registered, you 
> get no network.  It works the same way with wireless.  And to the best

> of my knowledge, DHCP is used.
> 
> -----------------------------------------
> Chuck Haines			
> GDC Systems Administrator	
> Infinity Complex Developer	
> WPILA Lab Manager		
> -----------------------------------------
> AIM: CyberGrex
> ICQ: 3707881
> Yahoo: CyberGrex_27
> Cell: (410) 610-6343.
> -----------------------------------------
> "Geek by nature, Linux by choice."
> 
> 
> 
> -----Original Message-----
> From: Jones, Steven [mailto:sjones08@eds.com]
> Sent: Monday, October 28, 2002 8:06 PM
> To: 'Stewart James'; debian-security@lists.debian.org
> Subject: RE: DHCP
> 
> 
> ik campus....
> 
> ik
> 
> ik
> 
> so zilch physical security........
> 
> you didnt say this in your earlier post, this has severe security 
> implications, in fact Id suggest you'd be a danger to the internet....
> 
> I'd suggest a letter to the ppl that want this and tell them of the 
> severe secuity implications of what they want.
> 
> you'd be a hackers/spammers dream.......sit in the carpark with a 
> laptop and wi-fi and spam the world.....
> 
> cant use static mapping of IPs to MACs.....to many unknown MACs, well 
> you can....
> 
> request each person registers thier machine with the helldesk and gets

> a static IP given out locked to the MAC address they provide. Run 
> arpwatch to look for illegal connections....
> 
> We are trialing wi-fi city wide, the wi-fi lan is behind a firewall 
> and are blocking port 25, then opening up ports as requested based on 
> merits.
> 
> DHCP is the least of your worries.......
> 
> This is not really a debian security issue but a general security 
> issue, I would suggest you get a security policy written and get it 
> agreed with "management". its your best set of defences from getting 
> screwed over when something goes wrong. Also writing this and getting 
> it agreed will give you time to research and get up to speed.
> 
> Also the DHCP server should have a firewall of its own at the very 
> least.
> 
> It suggests careful planning is needed before implimentation, possibly

> a campus wide audit after a policy is agreed (you audit against the
> policy)
> 
> regards
> 
> Im writing a policy myself and its taking a while.it will be posted on

> the Internet once done for free use and comment. The debian security 
> howto is good, if you have not read it please do.
> 
> I'd split campus network up into a trusted and untrusted LAN )incl 
> wi-fi network), the untrusted LAN should be treated as the Internet ie

> a danger zone and firewalled...
> 
> i could go on and on......i suspect you have a lot to do......
> 
> regards
> 
> Steven
> 
> 
> 
> -----Original Message-----
> From: Stewart James [mailto:stewart.james@vu.edu.au]
> Sent: Tuesday, 29 October 2002 12:53
> To: debian-security@lists.debian.org
> Subject: RE: DHCP
> 
> 
> 
> I had the very same thoughts, being a university you can imagine what 
> physical security is like, plus management wants to give students the 
> ability to walk on campus and plugin, plus start wireless services 
> too.
> 
> From what people have sent back from my question, I don;t think we 
> will be any worse of security wise as far as moving to DHCP will go.
> 
> Thanks for the various responses, if someone still thinks of a big 
> issue I would love to hear it.
> 
> Cheers,
> 
> Stewart
> 
> On Tue, 29 Oct 2002, Jones, Steven wrote:
> 
> 
>>Date: Tue, 29 Oct 2002 12:19:06 +1300
>>From: "Jones, Steven" <sjones08@eds.com>
>>To: 'Stewart James' <stewart.james@vu.edu.au>,
>>     debian-security@lists.debian.org
>>Subject: RE: DHCP
>>Resent-Date: Mon, 28 Oct 2002 17:24:16 -0600 (CST)
>>Resent-From: debian-security@lists.debian.org
>>
>>u could set dhcp to give out a fixed address dependant on a mac
>>address, this would stop just anybody plugging a box into a network, 
>>if your
> 
> network
> 
>>is physically secure then thats not a worry. (a cat5 jack in reception
> 
> 
>>or some other public place is dodgy)
>>
>>Otherwise dhcp makes life easier...its the only way to manage a decent
> 
> sized
> 
>>network.
>>
>>:)
>>
> 
> 
> 

-- 
====================================================================
=       http://www.sun.com/service/sunps/jdc/javacenter.pdf        =
=    www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone   =
= ________________________________________________________________ =
= "Noone wants advice - only corroboration" - John Steinbeck       =
==                                                                ==
= "Pawns can become Royalty in Life or in Chess"                   =
= "Life, the only game where Royalty can be a pawn,                =
=        and not even know it"                                     =
= "Chess, the only game where pawns really are pawns"              =
====================================================================





Reply to: