RE: DHCP
ik campus....
ik
ik
so zilch physical security........
you didnt say this in your earlier post, this has severe security
implications, in fact Id suggest you'd be a danger to the internet....
I'd suggest a letter to the ppl that want this and tell them of the severe
secuity implications of what they want.
you'd be a hackers/spammers dream.......sit in the carpark with a laptop and
wi-fi and spam the world.....
cant use static mapping of IPs to MACs.....to many unknown MACs, well you
can....
request each person registers thier machine with the helldesk and gets a
static IP given out locked to the MAC address they provide. Run arpwatch to
look for illegal connections....
We are trialing wi-fi city wide, the wi-fi lan is behind a firewall and are
blocking port 25, then opening up ports as requested based on merits.
DHCP is the least of your worries.......
This is not really a debian security issue but a general security issue, I
would suggest you get a security policy written and get it agreed with
"management". its your best set of defences from getting screwed over when
something goes wrong. Also writing this and getting it agreed will give you
time to research and get up to speed.
Also the DHCP server should have a firewall of its own at the very least.
It suggests careful planning is needed before implimentation, possibly a
campus wide audit after a policy is agreed (you audit against the policy)
regards
Im writing a policy myself and its taking a while.it will be posted on the
Internet once done for free use and comment. The debian security howto is
good, if you have not read it please do.
I'd split campus network up into a trusted and untrusted LAN )incl wi-fi
network), the untrusted LAN should be treated as the Internet ie a danger
zone and firewalled...
i could go on and on......i suspect you have a lot to do......
regards
Steven
-----Original Message-----
From: Stewart James [mailto:stewart.james@vu.edu.au]
Sent: Tuesday, 29 October 2002 12:53
To: debian-security@lists.debian.org
Subject: RE: DHCP
I had the very same thoughts, being a university you can imagine what
physical security is like, plus management wants to give students the
ability to walk on campus and plugin, plus start wireless services too.
>From what people have sent back from my question, I don;t think we will be
any worse of security wise as far as moving to DHCP will go.
Thanks for the various responses, if someone still thinks of a big issue I
would love to hear it.
Cheers,
Stewart
On Tue, 29 Oct 2002, Jones, Steven wrote:
> Date: Tue, 29 Oct 2002 12:19:06 +1300
> From: "Jones, Steven" <sjones08@eds.com>
> To: 'Stewart James' <stewart.james@vu.edu.au>,
> debian-security@lists.debian.org
> Subject: RE: DHCP
> Resent-Date: Mon, 28 Oct 2002 17:24:16 -0600 (CST)
> Resent-From: debian-security@lists.debian.org
>
> u could set dhcp to give out a fixed address dependant on a mac address,
> this would stop just anybody plugging a box into a network, if your
network
> is physically secure then thats not a worry. (a cat5 jack in reception or
> some other public place is dodgy)
>
> Otherwise dhcp makes life easier...its the only way to manage a decent
sized
> network.
>
> :)
>
Reply to: