ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP)

    Scheduled Pinned Locked Moved IT Discussion
    214 Posts 11 Posters 32.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @coliver
      last edited by

      @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

      I should say that I'm not really judging you or your experience, etc. This whole audit thing is just bizarre to me.

      This is par for the course. Most security audits are scams. If your team knew security, you'd not need an audit. So by the nature of paying someone to do an audit, they pretty much assume that they can take advantage of the situation. All of the money is in that scam.

      dave247D DashrenderD 2 Replies Last reply Reply Quote 2
      • dave247D
        dave247 @scottalanmiller
        last edited by

        @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

        @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

        @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

        @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

        @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

        @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

        @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

        @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

        @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

        @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

        I'm not trying to point fingers or anything. I'm trying to help you see that you can't be in charge of IT and have someone else calling the IT shots. You can't be focused on security while actively covering up security gaps.

        I totally understand being put in a position where you feel responsible for the security AND to meet crazy needs. But at the end of the day, someone is culpable for intentional gaps and you need to know who that is. If it is you, you need to stand up and say "this doesn't secure us and the auditors are scamming us", or you need to say to yourself "my goal is to keep the boss happy and if I secure some stuff along the way, fine."

        Doing this won't actively reduce security, it just makes it seem like things are more secure than they are.

        Something to keep in your pocket - pressuring you to do things and lying about being a security audit could qualify as "social engineering" and give you strong legal leverage against the auditor.

        I am just trying to figure out the best method to avoid having unauthorized systems connected to our network. Furthermore, it seems like there are a LOT of options and so now I am in the boat of which the hell one do I pick? Sigh

        Well, not quite. If you were only trying to figure the first part out, that's NAC and doesn't have anything to do with the question asked. If you are trying to meet the requirements of the audit, it has nothing to do with systems not connecting or security, but requires static.

        Two completely different things. Your "I'm only trying" point is what I assumed your original goal was, but doesn't match the audit needs nor the asked topic.

        No.. The goal here is to not have unauthorized devices able to connect to the network as an additional security measure. Their solution maybe comes out of ignorance or maybe it's just how they consider the simplest method to achieve that.

        If I implement any other measure that accomplishes this, then they would be fine. I believe they just plug a laptop in and see if they get an address from DHCP or not.

        Nope, look again. Their goal is literally to have all devices be static. They don't care if people access the network as long as the device IPs are statically assigned.

        No. THat's the damned suggestion.

        Right... that's what we are saying. They are NOT suggesting that you secure your environment, they are suggesting that you use static IPs.

        You are trying to find things that are implied that are not there. There is no need to "read into this", it's very clear. They want you on static IPs, and for reasons that aren't about security (they even point out that it is not about security!)

        gouges own eyes out

        ok. Game over. gg. Static mapped it is.

        Which I'm arguing is the bad route to go. I mean, obviously, pick your battles, but damn bad network design is bad network design.

        Not the end of the world. A bunch of extra work for no reason, but whatever.

        shakes pepper into own eyes

        scottalanmillerS coliverC 2 Replies Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @dave247
          last edited by

          @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

          @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

          @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

          @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

          @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

          @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

          @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

          @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

          @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

          @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

          @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

          I'm not trying to point fingers or anything. I'm trying to help you see that you can't be in charge of IT and have someone else calling the IT shots. You can't be focused on security while actively covering up security gaps.

          I totally understand being put in a position where you feel responsible for the security AND to meet crazy needs. But at the end of the day, someone is culpable for intentional gaps and you need to know who that is. If it is you, you need to stand up and say "this doesn't secure us and the auditors are scamming us", or you need to say to yourself "my goal is to keep the boss happy and if I secure some stuff along the way, fine."

          Doing this won't actively reduce security, it just makes it seem like things are more secure than they are.

          Something to keep in your pocket - pressuring you to do things and lying about being a security audit could qualify as "social engineering" and give you strong legal leverage against the auditor.

          I am just trying to figure out the best method to avoid having unauthorized systems connected to our network. Furthermore, it seems like there are a LOT of options and so now I am in the boat of which the hell one do I pick? Sigh

          Well, not quite. If you were only trying to figure the first part out, that's NAC and doesn't have anything to do with the question asked. If you are trying to meet the requirements of the audit, it has nothing to do with systems not connecting or security, but requires static.

          Two completely different things. Your "I'm only trying" point is what I assumed your original goal was, but doesn't match the audit needs nor the asked topic.

          No.. The goal here is to not have unauthorized devices able to connect to the network as an additional security measure. Their solution maybe comes out of ignorance or maybe it's just how they consider the simplest method to achieve that.

          If I implement any other measure that accomplishes this, then they would be fine. I believe they just plug a laptop in and see if they get an address from DHCP or not.

          Nope, look again. Their goal is literally to have all devices be static. They don't care if people access the network as long as the device IPs are statically assigned.

          No. THat's the damned suggestion.

          Right... that's what we are saying. They are NOT suggesting that you secure your environment, they are suggesting that you use static IPs.

          You are trying to find things that are implied that are not there. There is no need to "read into this", it's very clear. They want you on static IPs, and for reasons that aren't about security (they even point out that it is not about security!)

          gouges own eyes out

          ok. Game over. gg. Static mapped it is.

          Which I'm arguing is the bad route to go. I mean, obviously, pick your battles, but damn bad network design is bad network design.

          Not the end of the world. A bunch of extra work for no reason, but whatever.

          shakes pepper into own eyes

          I did that once. It was a mistake.

          1 Reply Last reply Reply Quote 0
          • coliverC
            coliver @dave247
            last edited by

            @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

            @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

            @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

            @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

            @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

            @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

            @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

            I'm not trying to point fingers or anything. I'm trying to help you see that you can't be in charge of IT and have someone else calling the IT shots. You can't be focused on security while actively covering up security gaps.

            I totally understand being put in a position where you feel responsible for the security AND to meet crazy needs. But at the end of the day, someone is culpable for intentional gaps and you need to know who that is. If it is you, you need to stand up and say "this doesn't secure us and the auditors are scamming us", or you need to say to yourself "my goal is to keep the boss happy and if I secure some stuff along the way, fine."

            Doing this won't actively reduce security, it just makes it seem like things are more secure than they are.

            Something to keep in your pocket - pressuring you to do things and lying about being a security audit could qualify as "social engineering" and give you strong legal leverage against the auditor.

            I am just trying to figure out the best method to avoid having unauthorized systems connected to our network. Furthermore, it seems like there are a LOT of options and so now I am in the boat of which the hell one do I pick? Sigh

            Well, not quite. If you were only trying to figure the first part out, that's NAC and doesn't have anything to do with the question asked. If you are trying to meet the requirements of the audit, it has nothing to do with systems not connecting or security, but requires static.

            Two completely different things. Your "I'm only trying" point is what I assumed your original goal was, but doesn't match the audit needs nor the asked topic.

            No.. The goal here is to not have unauthorized devices able to connect to the network as an additional security measure. Their solution maybe comes out of ignorance or maybe it's just how they consider the simplest method to achieve that.

            If I implement any other measure that accomplishes this, then they would be fine. I believe they just plug a laptop in and see if they get an address from DHCP or not.

            Nope, look again. Their goal is literally to have all devices be static. They don't care if people access the network as long as the device IPs are statically assigned.

            No. THat's the damned suggestion.

            Right... that's what we are saying. They are NOT suggesting that you secure your environment, they are suggesting that you use static IPs.

            You are trying to find things that are implied that are not there. There is no need to "read into this", it's very clear. They want you on static IPs, and for reasons that aren't about security (they even point out that it is not about security!)

            gouges own eyes out

            ok. Game over. gg. Static mapped it is.

            Which I'm arguing is the bad route to go. I mean, obviously, pick your battles, but damn bad network design is bad network design.

            Not the end of the world. A bunch of extra work for no reason, but whatever.

            shakes pepper into own eyes

            The chili powder is more effective.

            dave247D 1 Reply Last reply Reply Quote 0
            • dave247D
              dave247 @scottalanmiller
              last edited by dave247

              @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

              @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

              I should say that I'm not really judging you or your experience, etc. This whole audit thing is just bizarre to me.

              This is par for the course. Most security audits are scams. If your team knew security, you'd not need an audit. So by the nature of paying someone to do an audit, they pretty much assume that they can take advantage of the situation. All of the money is in that scam.

              Well I'm at a bank, and the banks are under the various banking cartel systems and so we have imposed on us the need for these audits and stuff, so we have to spend shitloads of money on 3rd party security firms and stuff. I can't get out of having audits.

              DustinB3403D stacksofplatesS scottalanmillerS 3 Replies Last reply Reply Quote 0
              • DustinB3403D
                DustinB3403 @dave247
                last edited by

                @dave247 How many devices are being discussed here?

                1 Reply Last reply Reply Quote 0
                • stacksofplatesS
                  stacksofplates @dave247
                  last edited by

                  @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                  @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                  @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                  I should say that I'm not really judging you or your experience, etc. This whole audit thing is just bizarre to me.

                  This is par for the course. Most security audits are scams. If your team knew security, you'd not need an audit. So by the nature of paying someone to do an audit, they pretty much assume that they can take advantage of the situation. All of the money is in that scam.

                  Well I'm at a bank, and the banks are under the various banking cartel systems and so we have imposed on us the need for these audits and stuff.

                  I get them from DSS/DoD. Come sit through one of ours for some fun

                  1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @dave247
                    last edited by

                    @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                    @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                    @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                    I should say that I'm not really judging you or your experience, etc. This whole audit thing is just bizarre to me.

                    This is par for the course. Most security audits are scams. If your team knew security, you'd not need an audit. So by the nature of paying someone to do an audit, they pretty much assume that they can take advantage of the situation. All of the money is in that scam.

                    Well I'm at a bank, and the banks are under the various banking cartel systems and so we have imposed on us the need for these audits and stuff.

                    I worked for a bank and we didn't have that. We had internal auditors, and we'd kick them out for incompetence. They'd literally demand that we do things like shut down the connections to the NY Stock Exchange claiming it was an "unneeded link."

                    dave247D 1 Reply Last reply Reply Quote 1
                    • dave247D
                      dave247 @coliver
                      last edited by

                      @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                      @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                      @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                      @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                      @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                      @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                      @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                      @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                      @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                      @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                      @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                      @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                      I'm not trying to point fingers or anything. I'm trying to help you see that you can't be in charge of IT and have someone else calling the IT shots. You can't be focused on security while actively covering up security gaps.

                      I totally understand being put in a position where you feel responsible for the security AND to meet crazy needs. But at the end of the day, someone is culpable for intentional gaps and you need to know who that is. If it is you, you need to stand up and say "this doesn't secure us and the auditors are scamming us", or you need to say to yourself "my goal is to keep the boss happy and if I secure some stuff along the way, fine."

                      Doing this won't actively reduce security, it just makes it seem like things are more secure than they are.

                      Something to keep in your pocket - pressuring you to do things and lying about being a security audit could qualify as "social engineering" and give you strong legal leverage against the auditor.

                      I am just trying to figure out the best method to avoid having unauthorized systems connected to our network. Furthermore, it seems like there are a LOT of options and so now I am in the boat of which the hell one do I pick? Sigh

                      Well, not quite. If you were only trying to figure the first part out, that's NAC and doesn't have anything to do with the question asked. If you are trying to meet the requirements of the audit, it has nothing to do with systems not connecting or security, but requires static.

                      Two completely different things. Your "I'm only trying" point is what I assumed your original goal was, but doesn't match the audit needs nor the asked topic.

                      No.. The goal here is to not have unauthorized devices able to connect to the network as an additional security measure. Their solution maybe comes out of ignorance or maybe it's just how they consider the simplest method to achieve that.

                      If I implement any other measure that accomplishes this, then they would be fine. I believe they just plug a laptop in and see if they get an address from DHCP or not.

                      Nope, look again. Their goal is literally to have all devices be static. They don't care if people access the network as long as the device IPs are statically assigned.

                      No. THat's the damned suggestion.

                      Right... that's what we are saying. They are NOT suggesting that you secure your environment, they are suggesting that you use static IPs.

                      You are trying to find things that are implied that are not there. There is no need to "read into this", it's very clear. They want you on static IPs, and for reasons that aren't about security (they even point out that it is not about security!)

                      gouges own eyes out

                      ok. Game over. gg. Static mapped it is.

                      Which I'm arguing is the bad route to go. I mean, obviously, pick your battles, but damn bad network design is bad network design.

                      Not the end of the world. A bunch of extra work for no reason, but whatever.

                      shakes pepper into own eyes

                      The chili powder is more effective.

                      I need to leave something for after I deploy static addresses again.

                      stacksofplatesS 1 Reply Last reply Reply Quote 0
                      • DustinB3403D
                        DustinB3403
                        last edited by

                        To get to a fully static setup, you could begin with DHCP reservations, and simply start saving entries. Once everything has a static assignment, disable DHCP handouts and go from there.

                        In any case, you'll be touching every device.

                        dave247D scottalanmillerS 2 Replies Last reply Reply Quote 0
                        • dave247D
                          dave247 @scottalanmiller
                          last edited by

                          @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                          @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                          @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                          @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                          I should say that I'm not really judging you or your experience, etc. This whole audit thing is just bizarre to me.

                          This is par for the course. Most security audits are scams. If your team knew security, you'd not need an audit. So by the nature of paying someone to do an audit, they pretty much assume that they can take advantage of the situation. All of the money is in that scam.

                          Well I'm at a bank, and the banks are under the various banking cartel systems and so we have imposed on us the need for these audits and stuff.

                          I worked for a bank and we didn't have that. We had internal auditors, and we'd kick them out for incompetence. They'd literally demand that we do things like shut down the connections to the NY Stock Exchange claiming it was an "unneeded link."

                          Well, I'm still new to banking and IT (only 1.6 years now or something) so I am still learning how it all works. I'm sure it's all FUBAR but hey, I got a family to feed.

                          scottalanmillerS 1 Reply Last reply Reply Quote 1
                          • dave247D
                            dave247 @DustinB3403
                            last edited by

                            @dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                            To get to a fully static setup, you could begin with DHCP reservations, and simply start saving entries. Once everything has a static assignment, disable DHCP handouts and go from there.

                            In any case, you'll be touching every device.

                            Yeah I'm thinking of that too.. probably the best way to do it and it's still basically static mapping..

                            DustinB3403D scottalanmillerS 2 Replies Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @dave247
                              last edited by

                              @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                              @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                              @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                              @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                              @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                              I should say that I'm not really judging you or your experience, etc. This whole audit thing is just bizarre to me.

                              This is par for the course. Most security audits are scams. If your team knew security, you'd not need an audit. So by the nature of paying someone to do an audit, they pretty much assume that they can take advantage of the situation. All of the money is in that scam.

                              Well I'm at a bank, and the banks are under the various banking cartel systems and so we have imposed on us the need for these audits and stuff.

                              I worked for a bank and we didn't have that. We had internal auditors, and we'd kick them out for incompetence. They'd literally demand that we do things like shut down the connections to the NY Stock Exchange claiming it was an "unneeded link."

                              Well, I'm still new to banking and IT (only 1.6 years now or something) so I am still learning how it all works. I'm sure it's all FUBAR but hey, I got a family to feed.

                              That's why I'm pushing you to figure out where you fit into the equation. At some point, you just follow orders and don't worry about it. Sure, post here, ask what a good solution would have been so that you learn options or whatever. But in a case like this, boss says listen to auditor, auditor tells you to burn the company to the ground, you burn it to the ground because your job is to follow the boss' orders.

                              It is what it is. But it sounds like the bank has decided that the boss' whims are a higher priority than security or efficiency. It is what it is. BUt that's what they want.

                              dave247D 1 Reply Last reply Reply Quote 2
                              • DustinB3403D
                                DustinB3403 @dave247
                                last edited by

                                @dave247 said in [Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC

                                Yeah I'm thinking of that too.. probably the best way to do it and it's still basically static mapping..

                                It's not static, until everything has a dedicate IP address. And you're still forced to disable DHCP.

                                Which of course does nothing to add network security, or "aiding network management".

                                1 Reply Last reply Reply Quote 1
                                • DashrenderD
                                  Dashrender @coliver
                                  last edited by

                                  @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  s stupid and has no idea what they're talking about. We need to look at hiring a different auditor as to better facilitate a modern

                                  LOL, I've been wading through this post, waiting for this specific post.

                                  1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @DustinB3403
                                    last edited by

                                    @dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                    To get to a fully static setup, you could begin with DHCP reservations, and simply start saving entries. Once everything has a static assignment, disable DHCP handouts and go from there.

                                    In any case, you'll be touching every device.

                                    That seems like too much work. Just assign staticly one by one in a range that isn't in the DHCP range.

                                    DustinB3403D 1 Reply Last reply Reply Quote 1
                                    • stacksofplatesS
                                      stacksofplates @dave247
                                      last edited by

                                      @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                      @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                      @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                      @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                      @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                      @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                      @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                      @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                      @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                      @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                      @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                      @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                      @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                      I'm not trying to point fingers or anything. I'm trying to help you see that you can't be in charge of IT and have someone else calling the IT shots. You can't be focused on security while actively covering up security gaps.

                                      I totally understand being put in a position where you feel responsible for the security AND to meet crazy needs. But at the end of the day, someone is culpable for intentional gaps and you need to know who that is. If it is you, you need to stand up and say "this doesn't secure us and the auditors are scamming us", or you need to say to yourself "my goal is to keep the boss happy and if I secure some stuff along the way, fine."

                                      Doing this won't actively reduce security, it just makes it seem like things are more secure than they are.

                                      Something to keep in your pocket - pressuring you to do things and lying about being a security audit could qualify as "social engineering" and give you strong legal leverage against the auditor.

                                      I am just trying to figure out the best method to avoid having unauthorized systems connected to our network. Furthermore, it seems like there are a LOT of options and so now I am in the boat of which the hell one do I pick? Sigh

                                      Well, not quite. If you were only trying to figure the first part out, that's NAC and doesn't have anything to do with the question asked. If you are trying to meet the requirements of the audit, it has nothing to do with systems not connecting or security, but requires static.

                                      Two completely different things. Your "I'm only trying" point is what I assumed your original goal was, but doesn't match the audit needs nor the asked topic.

                                      No.. The goal here is to not have unauthorized devices able to connect to the network as an additional security measure. Their solution maybe comes out of ignorance or maybe it's just how they consider the simplest method to achieve that.

                                      If I implement any other measure that accomplishes this, then they would be fine. I believe they just plug a laptop in and see if they get an address from DHCP or not.

                                      Nope, look again. Their goal is literally to have all devices be static. They don't care if people access the network as long as the device IPs are statically assigned.

                                      No. THat's the damned suggestion.

                                      Right... that's what we are saying. They are NOT suggesting that you secure your environment, they are suggesting that you use static IPs.

                                      You are trying to find things that are implied that are not there. There is no need to "read into this", it's very clear. They want you on static IPs, and for reasons that aren't about security (they even point out that it is not about security!)

                                      gouges own eyes out

                                      ok. Game over. gg. Static mapped it is.

                                      Which I'm arguing is the bad route to go. I mean, obviously, pick your battles, but damn bad network design is bad network design.

                                      Not the end of the world. A bunch of extra work for no reason, but whatever.

                                      shakes pepper into own eyes

                                      The chili powder is more effective.

                                      I need to leave something for after I deploy static addresses again.

                                      You should be able to do exceptions. Have an exception and a mitigation plan for how you are goingto address it.

                                      1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @dave247
                                        last edited by

                                        @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                        @dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                        To get to a fully static setup, you could begin with DHCP reservations, and simply start saving entries. Once everything has a static assignment, disable DHCP handouts and go from there.

                                        In any case, you'll be touching every device.

                                        Yeah I'm thinking of that too.. probably the best way to do it and it's still basically static mapping..

                                        Where "basically" means "not". No reason to mess around with this, it only creates extra work and puts you at risk.

                                        dave247D 1 Reply Last reply Reply Quote 0
                                        • dave247D
                                          dave247 @scottalanmiller
                                          last edited by

                                          @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                          @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                          @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                          @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                          @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                          @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                          I should say that I'm not really judging you or your experience, etc. This whole audit thing is just bizarre to me.

                                          This is par for the course. Most security audits are scams. If your team knew security, you'd not need an audit. So by the nature of paying someone to do an audit, they pretty much assume that they can take advantage of the situation. All of the money is in that scam.

                                          Well I'm at a bank, and the banks are under the various banking cartel systems and so we have imposed on us the need for these audits and stuff.

                                          I worked for a bank and we didn't have that. We had internal auditors, and we'd kick them out for incompetence. They'd literally demand that we do things like shut down the connections to the NY Stock Exchange claiming it was an "unneeded link."

                                          Well, I'm still new to banking and IT (only 1.6 years now or something) so I am still learning how it all works. I'm sure it's all FUBAR but hey, I got a family to feed.

                                          That's why I'm pushing you to figure out where you fit into the equation. At some point, you just follow orders and don't worry about it. Sure, post here, ask what a good solution would have been so that you learn options or whatever. But in a case like this, boss says listen to auditor, auditor tells you to burn the company to the ground, you burn it to the ground because your job is to follow the boss' orders.

                                          It is what it is. But it sounds like the bank has decided that the boss' whims are a higher priority than security or efficiency. It is what it is. BUt that's what they want.

                                          Here is an early Christmas present: Additionally, the auditors have suggested having phones on their own VLAN for security. SO now I'm trying to set up LLDP.

                                          scottalanmillerS DustinB3403D coliverC 3 Replies Last reply Reply Quote 1
                                          • DustinB3403D
                                            DustinB3403 @scottalanmiller
                                            last edited by

                                            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            To get to a fully static setup, you could begin with DHCP reservations, and simply start saving entries. Once everything has a static assignment, disable DHCP handouts and go from there.

                                            In any case, you'll be touching every device.

                                            That seems like too much work. Just assign staticly one by one in a range that isn't in the DHCP range.

                                            That would require creating/editing the scope(s) (this of course assuming he's not using most of the existing DHCP scope)

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 7
                                            • 10
                                            • 11
                                            • 5 / 11
                                            • First post
                                              Last post