Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP)
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I should say that I'm not really judging you or your experience, etc. This whole audit thing is just bizarre to me.
This is par for the course. Most security audits are scams. If your team knew security, you'd not need an audit. So by the nature of paying someone to do an audit, they pretty much assume that they can take advantage of the situation. All of the money is in that scam.
Well I'm at a bank, and the banks are under the various banking cartel systems and so we have imposed on us the need for these audits and stuff.
I worked for a bank and we didn't have that. We had internal auditors, and we'd kick them out for incompetence. They'd literally demand that we do things like shut down the connections to the NY Stock Exchange claiming it was an "unneeded link."
Well, I'm still new to banking and IT (only 1.6 years now or something) so I am still learning how it all works. I'm sure it's all FUBAR but hey, I got a family to feed.
That's why I'm pushing you to figure out where you fit into the equation. At some point, you just follow orders and don't worry about it. Sure, post here, ask what a good solution would have been so that you learn options or whatever. But in a case like this, boss says listen to auditor, auditor tells you to burn the company to the ground, you burn it to the ground because your job is to follow the boss' orders.
It is what it is. But it sounds like the bank has decided that the boss' whims are a higher priority than security or efficiency. It is what it is. BUt that's what they want.
Here is an early Christmas present: Additionally, the auditors have suggested having phones on their own VLAN for security. SO now I'm trying to set up LLDP.
OK just fire the auditors. We have plenty of proof at this point that they are insane.
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
LLDP
That's not for security.
-
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I should say that I'm not really judging you or your experience, etc. This whole audit thing is just bizarre to me.
This is par for the course. Most security audits are scams. If your team knew security, you'd not need an audit. So by the nature of paying someone to do an audit, they pretty much assume that they can take advantage of the situation. All of the money is in that scam.
Well I'm at a bank, and the banks are under the various banking cartel systems and so we have imposed on us the need for these audits and stuff.
I worked for a bank and we didn't have that. We had internal auditors, and we'd kick them out for incompetence. They'd literally demand that we do things like shut down the connections to the NY Stock Exchange claiming it was an "unneeded link."
Well, I'm still new to banking and IT (only 1.6 years now or something) so I am still learning how it all works. I'm sure it's all FUBAR but hey, I got a family to feed.
That's why I'm pushing you to figure out where you fit into the equation. At some point, you just follow orders and don't worry about it. Sure, post here, ask what a good solution would have been so that you learn options or whatever. But in a case like this, boss says listen to auditor, auditor tells you to burn the company to the ground, you burn it to the ground because your job is to follow the boss' orders.
It is what it is. But it sounds like the bank has decided that the boss' whims are a higher priority than security or efficiency. It is what it is. BUt that's what they want.
Here is an early Christmas present: Additionally, the auditors have suggested having phones on their own VLAN for security. SO now I'm trying to set up LLDP.
Of course they did.
Any chance these auditors happen to sell support services, too?
YES HOW DID YOU KNOW
-
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
This might be one instance where you say "Nope, this is a stupid requirement and does nothing for us, obviously this auditor is stupid and has no idea what they're talking about."
Problem is, it matches what his boss claims, I think he said.
It matches exactly what his boss claims.
So back to my "it's all about politics" problem. Can't point out security problems because of politics.
Sure, but this doesn't imply that the boss is complicit, much more likely... they failed the audit in the past, they were told that static IPs allow the checkbox to be checked and nothing else. So the boss just continues to run with that info - it's no different than people building RAID5 systems 20 years ago because they were told that's what you do (not understanding the why), and they just kept on doing that.
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
To get to a fully static setup, you could begin with DHCP reservations, and simply start saving entries. Once everything has a static assignment, disable DHCP handouts and go from there.
In any case, you'll be touching every device.
Yeah I'm thinking of that too.. probably the best way to do it and it's still basically static mapping..
Where "basically" means "not". No reason to mess around with this, it only creates extra work and puts you at risk.
Why tho? Instead of manually mapping it at the end point, I can do it from the DHCP server.
Yes, but static means not being able to do that. Static means one thing and only one thing. DHCP or Static, there is no DHCP and static. If you use DHCP, you aren't static no matter how you look at it. The D in DHCP is Dynamic, meaning "not static."
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
To get to a fully static setup, you could begin with DHCP reservations, and simply start saving entries. Once everything has a static assignment, disable DHCP handouts and go from there.
In any case, you'll be touching every device.
Yeah I'm thinking of that too.. probably the best way to do it and it's still basically static mapping..
Where "basically" means "not". No reason to mess around with this, it only creates extra work and puts you at risk.
Why tho? Instead of manually mapping it at the end point, I can do it from the DHCP server.
Because it's still be handed an address instead of knowing what address it's supposed to have. It's still using DHCP as an addressing mechanism and thus doesn't fulfill the audit's requirements.
-
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
To get to a fully static setup, you could begin with DHCP reservations, and simply start saving entries. Once everything has a static assignment, disable DHCP handouts and go from there.
In any case, you'll be touching every device.
Yeah I'm thinking of that too.. probably the best way to do it and it's still basically static mapping..
Where "basically" means "not". No reason to mess around with this, it only creates extra work and puts you at risk.
Why tho? Instead of manually mapping it at the end point, I can do it from the DHCP server.
Yes, but static means not being able to do that. Static means one thing and only one thing. DHCP or Static, there is no DHCP and static. If you use DHCP, you aren't static no matter how you look at it. The D in DHCP is Dynamic, meaning "not static."
yeah but it's static in that DHCP hands out the same IP to only that system based on mac address and it won't hand an address out to some ding-dong plugging his shitbook into the wall anus
-
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I should say that I'm not really judging you or your experience, etc. This whole audit thing is just bizarre to me.
This is par for the course. Most security audits are scams. If your team knew security, you'd not need an audit. So by the nature of paying someone to do an audit, they pretty much assume that they can take advantage of the situation. All of the money is in that scam.
So you don't believe in outside audits at all? People can make mistakes you know, and it not be on purpose.
-
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
This might be one instance where you say "Nope, this is a stupid requirement and does nothing for us, obviously this auditor is stupid and has no idea what they're talking about."
Problem is, it matches what his boss claims, I think he said.
It matches exactly what his boss claims.
So back to my "it's all about politics" problem. Can't point out security problems because of politics.
Sure, but this doesn't imply that the boss is complicit, much more likely... they failed the audit in the past, they were told that static IPs allow the checkbox to be checked and nothing else. So the boss just continues to run with that info - it's no different than people building RAID5 systems 20 years ago because they were told that's what you do (not understanding the why), and they just kept on doing that.
The boss separately stated this, though.
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
To get to a fully static setup, you could begin with DHCP reservations, and simply start saving entries. Once everything has a static assignment, disable DHCP handouts and go from there.
In any case, you'll be touching every device.
Yeah I'm thinking of that too.. probably the best way to do it and it's still basically static mapping..
Where "basically" means "not". No reason to mess around with this, it only creates extra work and puts you at risk.
Why tho? Instead of manually mapping it at the end point, I can do it from the DHCP server.
Yes, but static means not being able to do that. Static means one thing and only one thing. DHCP or Static, there is no DHCP and static. If you use DHCP, you aren't static no matter how you look at it. The D in DHCP is Dynamic, meaning "not static."
yeah but it's static in that DHCP hands out the same IP to only that system based on mac address and it won't hand an address out to some ding-dong plugging his shitbook into the wall anus
DHCP will still hand out addresses to any device that connects to the "wall anus". Unless you had filtering in place where only MAC addresses that were white listed could pull an IP address.
But in how the question is worded, they don't care about what the client has, they are asking you "Is your network statically assigned, if not you fail?"
-
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I should say that I'm not really judging you or your experience, etc. This whole audit thing is just bizarre to me.
This is par for the course. Most security audits are scams. If your team knew security, you'd not need an audit. So by the nature of paying someone to do an audit, they pretty much assume that they can take advantage of the situation. All of the money is in that scam.
So you don't believe in outside audits at all? People can make mistakes you know, and it not be on purpose.
Yes, but only in extreme cases and only when you really, REALLY know why you are doing it and REALLY know the firm that is doing it and REALLY ensure that you have proper alignment.
-
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I should say that I'm not really judging you or your experience, etc. This whole audit thing is just bizarre to me.
This is par for the course. Most security audits are scams. If your team knew security, you'd not need an audit. So by the nature of paying someone to do an audit, they pretty much assume that they can take advantage of the situation. All of the money is in that scam.
So you don't believe in outside audits at all? People can make mistakes you know, and it not be on purpose.
Which is why you have teams of people working on IT infrastructure. One person isn't a viable department.
-
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I should say that I'm not really judging you or your experience, etc. This whole audit thing is just bizarre to me.
This is par for the course. Most security audits are scams. If your team knew security, you'd not need an audit. So by the nature of paying someone to do an audit, they pretty much assume that they can take advantage of the situation. All of the money is in that scam.
So you don't believe in outside audits at all? People can make mistakes you know, and it not be on purpose.
Which is why you have teams of people working on IT infrastructure. One person isn't a viable department.
Yes yes yep mmhmm
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I should say that I'm not really judging you or your experience, etc. This whole audit thing is just bizarre to me.
This is par for the course. Most security audits are scams. If your team knew security, you'd not need an audit. So by the nature of paying someone to do an audit, they pretty much assume that they can take advantage of the situation. All of the money is in that scam.
So you don't believe in outside audits at all? People can make mistakes you know, and it not be on purpose.
Which is why you have teams of people working on IT infrastructure. One person isn't a viable department.
Yes yes yep mmhmm
I was a one man shop not too long ago. Not worth the time and aggravation.
-
@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
To get to a fully static setup, you could begin with DHCP reservations, and simply start saving entries. Once everything has a static assignment, disable DHCP handouts and go from there.
In any case, you'll be touching every device.
Yeah I'm thinking of that too.. probably the best way to do it and it's still basically static mapping..
Where "basically" means "not". No reason to mess around with this, it only creates extra work and puts you at risk.
Why tho? Instead of manually mapping it at the end point, I can do it from the DHCP server.
Yes, but static means not being able to do that. Static means one thing and only one thing. DHCP or Static, there is no DHCP and static. If you use DHCP, you aren't static no matter how you look at it. The D in DHCP is Dynamic, meaning "not static."
yeah but it's static in that DHCP hands out the same IP to only that system based on mac address and it won't hand an address out to some ding-dong plugging his shitbook into the wall anus
DHCP will still hand out addresses to any device that connects to the "wall anus". Unless you had filtering in place where only MAC addresses that were white listed could pull an IP address.
But in how the question is worded, they don't care about what the client has, they are asking you "Is your network statically assigned, if not you fail?"
Not if there is no pool set. If you just do reservations nothing outside of those will get an address
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
To get to a fully static setup, you could begin with DHCP reservations, and simply start saving entries. Once everything has a static assignment, disable DHCP handouts and go from there.
In any case, you'll be touching every device.
Yeah I'm thinking of that too.. probably the best way to do it and it's still basically static mapping..
Where "basically" means "not". No reason to mess around with this, it only creates extra work and puts you at risk.
Why tho? Instead of manually mapping it at the end point, I can do it from the DHCP server.
Yes, but static means not being able to do that. Static means one thing and only one thing. DHCP or Static, there is no DHCP and static. If you use DHCP, you aren't static no matter how you look at it. The D in DHCP is Dynamic, meaning "not static."
yeah but it's static in that DHCP hands out the same IP to only that system based on mac address and it won't hand an address out to some ding-dong plugging his shitbook into the wall anus
That's not what static means in IT in any way. You can state that all that you want, but to the end device it is dynamic, not statically set. You'd fail any audit and if you got caught, this would be easily a reason to fire you for intentional insubordination. You cannot make the claim that anything using DHCP is "static". DHCP is the replacement for static, not another static option.
I understand why you want to present it this way, but it IT this isn't an option. You cannot call it that. You are misunderstanding the use of the term static here.
In networking...
"Static IPs" means permanent IPs set on the client device that cannot be modified externally through protocols like BOOTP or DHCP.
If BOOTP or DHCP is involved, it's not static, it's that simple.
-
Okay sure, go ahead. I get it. Don't even consider my solution. I see how it is. Thanks,
-
@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
To get to a fully static setup, you could begin with DHCP reservations, and simply start saving entries. Once everything has a static assignment, disable DHCP handouts and go from there.
In any case, you'll be touching every device.
Yeah I'm thinking of that too.. probably the best way to do it and it's still basically static mapping..
Where "basically" means "not". No reason to mess around with this, it only creates extra work and puts you at risk.
Why tho? Instead of manually mapping it at the end point, I can do it from the DHCP server.
Yes, but static means not being able to do that. Static means one thing and only one thing. DHCP or Static, there is no DHCP and static. If you use DHCP, you aren't static no matter how you look at it. The D in DHCP is Dynamic, meaning "not static."
yeah but it's static in that DHCP hands out the same IP to only that system based on mac address and it won't hand an address out to some ding-dong plugging his shitbook into the wall anus
DHCP will still hand out addresses to any device that connects to the "wall anus". Unless you had filtering in place where only MAC addresses that were white listed could pull an IP address.
But in how the question is worded, they don't care about what the client has, they are asking you "Is your network statically assigned, if not you fail?"
LOL - yeah, you would only not get an IP if all IPs in the pool are already assigned either dynamically or statically(via MAC) to a device.
-
How do you build more than 10-20 systems without PXE? I think I’d just have to walk away.
-
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dashrender said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I should say that I'm not really judging you or your experience, etc. This whole audit thing is just bizarre to me.
This is par for the course. Most security audits are scams. If your team knew security, you'd not need an audit. So by the nature of paying someone to do an audit, they pretty much assume that they can take advantage of the situation. All of the money is in that scam.
So you don't believe in outside audits at all? People can make mistakes you know, and it not be on purpose.
Yes, but only in extreme cases and only when you really, REALLY know why you are doing it and REALLY know the firm that is doing it and REALLY ensure that you have proper alignment.
Well of course.