Securing DHCP - Nailed by a dasher worm from an external party

C

cedralpass

We were hit hard on Friday with the New Dasher.H varient. We have been
brainstorming solutions to this issue. It seems that every virus we
have had has been an external party, brining in an outside laptop for a
demo or consulting.

Is there any way to make sure DHCP only hands out IPs to a comupter
bound to a domain?
We are currently grabbing all the MAC addresses with a scan, and
manually making a reservation. However, with our limited staff, I dont
think this is a very maintainable solution.

Are there any nice management packages?

Thanks,

Geoff
 
P

Phillip Windell

cedralpass said:
We were hit hard on Friday with the New Dasher.H varient. We have been
brainstorming solutions to this issue. It seems that every virus we
have had has been an external party, brining in an outside laptop for a
demo or consulting.

Is there any way to make sure DHCP only hands out IPs to a comupter
bound to a domain?
We are currently grabbing all the MAC addresses with a scan, and
manually making a reservation. However, with our limited staff, I dont
think this is a very maintainable solution.
Click to expand...

DHCP is a convienience tool, not a security tool,...in fact it is more of an
insecurity tool. By the time you could configure all those reservations,
you could just stop using DHCP and statically assigning everything.
Are there any nice management packages?
Click to expand...

There are quarentining solutions out there, but they are in the early stages
of developement,...very complex,...requires networking Hardware to be
compliant,...and, oh, yea,...$$$$$.

You have a "human" problem,..not a technical problem,...and it needs to be
dealt with as a human problem. However, some things you can do if you want
to keep using DHCP is to physically secure the building. Only allow DHCP on
wall jacks in secured Areas of the building,...unsecured areas of the
building must not use DHCP and require static TCP Configs. The unsecured
areas will of course be a different subnet which will also allow you to run
ACLs on the LAN Router between the segments.

I will probably create a special subnet like this in the future for our
Conference Room. I can still allow DHCP if I choose, but the LAN Router will
only allow DHCP Queries to the DHCP Server and will only allow HTTP/HTTPS &
FTP to the Internet but be totally disallowed to the rest of the LAN subnets
short of the DHCP Queries required to get an address.
 
C

cedralpass

Phillip said:
DHCP is a convienience tool, not a security tool,...in fact it is more of an
insecurity tool. By the time you could configure all those reservations,
you could just stop using DHCP and statically assigning everything.


There are quarentining solutions out there, but they are in the early stages
of developement,...very complex,...requires networking Hardware to be
compliant,...and, oh, yea,...$$$$$.

You have a "human" problem,..not a technical problem,...and it needs to be
dealt with as a human problem. However, some things you can do if you want
to keep using DHCP is to physically secure the building. Only allow DHCP on
wall jacks in secured Areas of the building,...unsecured areas of the
building must not use DHCP and require static TCP Configs. The unsecured
areas will of course be a different subnet which will also allow you to run
ACLs on the LAN Router between the segments.

I will probably create a special subnet like this in the future for our
Conference Room. I can still allow DHCP if I choose, but the LAN Router will
only allow DHCP Queries to the DHCP Server and will only allow HTTP/HTTPS &
FTP to the Internet but be totally disallowed to the rest of the LAN subnets
short of the DHCP Queries required to get an address.
Click to expand...

Phillip,

this is an excelent idea. I really like it. Have our Conference rooms
patched into another subnet will knock out 90% of the issue.

We are looking at some interesting hardware as well. Bluelane is one
device, and TrendMicro Virus Wall.

Thanks again,

Geoffrey
 
P

Phillip Windell

cedralpass said:
this is an excelent idea. I really like it. Have our Conference rooms
patched into another subnet will knock out 90% of the issue.

We are looking at some interesting hardware as well. Bluelane is one
device, and TrendMicro Virus Wall.
Click to expand...

Sounds good!
Good luck with it.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

FWT Newsletter - Weekly - November 17, 2003 0

Top