ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP)

    Scheduled Pinned Locked Moved IT Discussion
    214 Posts 11 Posters 32.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @coliver
      last edited by

      @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

      @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

      @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

      @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

      @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

      @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

      @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

      I'm not trying to point fingers or anything. I'm trying to help you see that you can't be in charge of IT and have someone else calling the IT shots. You can't be focused on security while actively covering up security gaps.

      I totally understand being put in a position where you feel responsible for the security AND to meet crazy needs. But at the end of the day, someone is culpable for intentional gaps and you need to know who that is. If it is you, you need to stand up and say "this doesn't secure us and the auditors are scamming us", or you need to say to yourself "my goal is to keep the boss happy and if I secure some stuff along the way, fine."

      Doing this won't actively reduce security, it just makes it seem like things are more secure than they are.

      Something to keep in your pocket - pressuring you to do things and lying about being a security audit could qualify as "social engineering" and give you strong legal leverage against the auditor.

      I am just trying to figure out the best method to avoid having unauthorized systems connected to our network. Furthermore, it seems like there are a LOT of options and so now I am in the boat of which the hell one do I pick? Sigh

      Well, not quite. If you were only trying to figure the first part out, that's NAC and doesn't have anything to do with the question asked. If you are trying to meet the requirements of the audit, it has nothing to do with systems not connecting or security, but requires static.

      Two completely different things. Your "I'm only trying" point is what I assumed your original goal was, but doesn't match the audit needs nor the asked topic.

      No.. The goal here is to not have unauthorized devices able to connect to the network as an additional security measure. Their solution maybe comes out of ignorance or maybe it's just how they consider the simplest method to achieve that.

      If I implement any other measure that accomplishes this, then they would be fine. I believe they just plug a laptop in and see if they get an address from DHCP or not.

      Nope, look again. Their goal is literally to have all devices be static. They don't care if people access the network as long as the device IPs are statically assigned.

      No. THat's the damned suggestion.

      Then you didn't post the entire section. From what you've listed that's exactly what they are requiring. We're working from imperfect information here so I'm sorry if we're being obtuse.

      Exactly and, more importantly, the only thing that they are requiring.

      1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @dave247
        last edited by

        @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

        @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

        @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

        @dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

        @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

        @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

        @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

        @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

        This gets complex because you are trying to merge the needs of a "real" goal: security, with a "political" goal, satisfying a clueless boss and fake audit.

        That's hard because the two don't overlap. In this case they are not directly opposed, but they sure don't line up in any way.

        This would verge, though, on an intentional security coverup and at some point you might want to go higher in the chain and point out that you have both an auditor and your boss working hard to pretend that they are securing something but are, quite obviously, not doing it.

        The question is... are they trying to scam the government? Or are they trying to scam the owners? Do you think that the owners are aware and are participating in the scam, or are in for a big surprise that they were sold security that was never performed?

        I totally hear you Scott. I think there's enough of a real security concern, but at the same time, people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.

        I'm going to just do my job and come up with a solution as long as I have time. Worst case scenario, I just implement static addresses again so we don't get dinged on an audit.

        The toughest part here is.... what is your job? I mean that literally. Is it to "do what your boss says" or is it to "work around the boss and protect the company from themselves?"

        My job is to manage all things IT in our company and I do that job pretty well I think. At the same time, I have to satisfy audit needs and my boss is in charge of making sure I'm on track. Not every portion of the audit is this stupid and I am just trying to make sure we don't get dinged on anything we don't have to.

        So the simple answer is to unplugged every not used.

        What is the exact wording of the audit question?

        I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:

        Static IP Address Assignment
        Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
        Standards Mapping:
        Control Type: (Project)
        NIST Cybersecurity Framework: PR.AC-4
        NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
        Control Class: Technical

        Read this section again carefully. It's not a section about "why you need to keep unauthorized things from getting onto the network." This is just "use static IPs". Nothing more, nothing less. The audit is telling you that you need to be static, period. No ifs, ands, or buts. Notice that they lead with "aiding network management" not with security. That's an "oh it also does this."

        It's very clear, static IPs is their goal, not security. You are misunderstanding the goals and requirements of the audit if you think that this is about security, or that securing the environment will satisfy what they are demanding.

        ok well then, ffs, maybe I'll just use DHCP reservation on this...

        Won't meet their requirements. That's smarter from an IT perspective, but won't meet their stated requirement.

        1 Reply Last reply Reply Quote 0
        • coliverC
          coliver @dave247
          last edited by

          @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

          @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

          @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

          @dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

          @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

          @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

          @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

          @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

          This gets complex because you are trying to merge the needs of a "real" goal: security, with a "political" goal, satisfying a clueless boss and fake audit.

          That's hard because the two don't overlap. In this case they are not directly opposed, but they sure don't line up in any way.

          This would verge, though, on an intentional security coverup and at some point you might want to go higher in the chain and point out that you have both an auditor and your boss working hard to pretend that they are securing something but are, quite obviously, not doing it.

          The question is... are they trying to scam the government? Or are they trying to scam the owners? Do you think that the owners are aware and are participating in the scam, or are in for a big surprise that they were sold security that was never performed?

          I totally hear you Scott. I think there's enough of a real security concern, but at the same time, people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.

          I'm going to just do my job and come up with a solution as long as I have time. Worst case scenario, I just implement static addresses again so we don't get dinged on an audit.

          The toughest part here is.... what is your job? I mean that literally. Is it to "do what your boss says" or is it to "work around the boss and protect the company from themselves?"

          My job is to manage all things IT in our company and I do that job pretty well I think. At the same time, I have to satisfy audit needs and my boss is in charge of making sure I'm on track. Not every portion of the audit is this stupid and I am just trying to make sure we don't get dinged on anything we don't have to.

          So the simple answer is to unplugged every not used.

          What is the exact wording of the audit question?

          I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:

          Static IP Address Assignment
          Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
          Standards Mapping:
          Control Type: (Project)
          NIST Cybersecurity Framework: PR.AC-4
          NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
          Control Class: Technical

          Read this section again carefully. It's not a section about "why you need to keep unauthorized things from getting onto the network." This is just "use static IPs". Nothing more, nothing less. The audit is telling you that you need to be static, period. No ifs, ands, or buts. Notice that they lead with "aiding network management" not with security. That's an "oh it also does this."

          It's very clear, static IPs is their goal, not security. You are misunderstanding the goals and requirements of the audit if you think that this is about security, or that securing the environment will satisfy what they are demanding.

          ok well then, ffs, maybe I'll just use DHCP reservation on this...

          This won't mee the requirements though. They aren't statically assigned.

          1 Reply Last reply Reply Quote 0
          • dave247D
            dave247 @scottalanmiller
            last edited by

            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

            @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

            @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

            @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

            @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

            I'm not trying to point fingers or anything. I'm trying to help you see that you can't be in charge of IT and have someone else calling the IT shots. You can't be focused on security while actively covering up security gaps.

            I totally understand being put in a position where you feel responsible for the security AND to meet crazy needs. But at the end of the day, someone is culpable for intentional gaps and you need to know who that is. If it is you, you need to stand up and say "this doesn't secure us and the auditors are scamming us", or you need to say to yourself "my goal is to keep the boss happy and if I secure some stuff along the way, fine."

            Doing this won't actively reduce security, it just makes it seem like things are more secure than they are.

            Something to keep in your pocket - pressuring you to do things and lying about being a security audit could qualify as "social engineering" and give you strong legal leverage against the auditor.

            I am just trying to figure out the best method to avoid having unauthorized systems connected to our network. Furthermore, it seems like there are a LOT of options and so now I am in the boat of which the hell one do I pick? Sigh

            Well, not quite. If you were only trying to figure the first part out, that's NAC and doesn't have anything to do with the question asked. If you are trying to meet the requirements of the audit, it has nothing to do with systems not connecting or security, but requires static.

            Two completely different things. Your "I'm only trying" point is what I assumed your original goal was, but doesn't match the audit needs nor the asked topic.

            No.. The goal here is to not have unauthorized devices able to connect to the network as an additional security measure. Their solution maybe comes out of ignorance or maybe it's just how they consider the simplest method to achieve that.

            If I implement any other measure that accomplishes this, then they would be fine. I believe they just plug a laptop in and see if they get an address from DHCP or not.

            Nope, look again. Their goal is literally to have all devices be static. They don't care if people access the network as long as the device IPs are statically assigned.

            No. THat's the damned suggestion.

            Right... that's what we are saying. They are NOT suggesting that you secure your environment, they are suggesting that you use static IPs.

            You are trying to find things that are implied that are not there. There is no need to "read into this", it's very clear. They want you on static IPs, and for reasons that aren't about security (they even point out that it is not about security!)

            gouges own eyes out

            ok. Game over. gg. Static mapped it is.

            scottalanmillerS coliverC 2 Replies Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller
              last edited by

              If they test to see if DHCP is on the network, they'll know that you aren't doing static, for example. Or look to see if DHCP is running. Or just ask.

              1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @dave247
                last edited by

                @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                I'm not trying to point fingers or anything. I'm trying to help you see that you can't be in charge of IT and have someone else calling the IT shots. You can't be focused on security while actively covering up security gaps.

                I totally understand being put in a position where you feel responsible for the security AND to meet crazy needs. But at the end of the day, someone is culpable for intentional gaps and you need to know who that is. If it is you, you need to stand up and say "this doesn't secure us and the auditors are scamming us", or you need to say to yourself "my goal is to keep the boss happy and if I secure some stuff along the way, fine."

                Doing this won't actively reduce security, it just makes it seem like things are more secure than they are.

                Something to keep in your pocket - pressuring you to do things and lying about being a security audit could qualify as "social engineering" and give you strong legal leverage against the auditor.

                I am just trying to figure out the best method to avoid having unauthorized systems connected to our network. Furthermore, it seems like there are a LOT of options and so now I am in the boat of which the hell one do I pick? Sigh

                Well, not quite. If you were only trying to figure the first part out, that's NAC and doesn't have anything to do with the question asked. If you are trying to meet the requirements of the audit, it has nothing to do with systems not connecting or security, but requires static.

                Two completely different things. Your "I'm only trying" point is what I assumed your original goal was, but doesn't match the audit needs nor the asked topic.

                No.. The goal here is to not have unauthorized devices able to connect to the network as an additional security measure. Their solution maybe comes out of ignorance or maybe it's just how they consider the simplest method to achieve that.

                If I implement any other measure that accomplishes this, then they would be fine. I believe they just plug a laptop in and see if they get an address from DHCP or not.

                Nope, look again. Their goal is literally to have all devices be static. They don't care if people access the network as long as the device IPs are statically assigned.

                No. THat's the damned suggestion.

                Right... that's what we are saying. They are NOT suggesting that you secure your environment, they are suggesting that you use static IPs.

                You are trying to find things that are implied that are not there. There is no need to "read into this", it's very clear. They want you on static IPs, and for reasons that aren't about security (they even point out that it is not about security!)

                gouges own eyes out

                ok. Game over. gg. Static mapped it is.

                That's all that they wanted. There was really nothing to ask. They had one goal - static IPs. It's insane, no doubt. That's why we are saying that it is time to push back. This is a disaster.

                But it is the only thing that allows you to say that you did what they said.

                1 Reply Last reply Reply Quote 1
                • coliverC
                  coliver @dave247
                  last edited by

                  @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                  @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                  @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                  @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                  @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                  @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                  @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                  @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                  I'm not trying to point fingers or anything. I'm trying to help you see that you can't be in charge of IT and have someone else calling the IT shots. You can't be focused on security while actively covering up security gaps.

                  I totally understand being put in a position where you feel responsible for the security AND to meet crazy needs. But at the end of the day, someone is culpable for intentional gaps and you need to know who that is. If it is you, you need to stand up and say "this doesn't secure us and the auditors are scamming us", or you need to say to yourself "my goal is to keep the boss happy and if I secure some stuff along the way, fine."

                  Doing this won't actively reduce security, it just makes it seem like things are more secure than they are.

                  Something to keep in your pocket - pressuring you to do things and lying about being a security audit could qualify as "social engineering" and give you strong legal leverage against the auditor.

                  I am just trying to figure out the best method to avoid having unauthorized systems connected to our network. Furthermore, it seems like there are a LOT of options and so now I am in the boat of which the hell one do I pick? Sigh

                  Well, not quite. If you were only trying to figure the first part out, that's NAC and doesn't have anything to do with the question asked. If you are trying to meet the requirements of the audit, it has nothing to do with systems not connecting or security, but requires static.

                  Two completely different things. Your "I'm only trying" point is what I assumed your original goal was, but doesn't match the audit needs nor the asked topic.

                  No.. The goal here is to not have unauthorized devices able to connect to the network as an additional security measure. Their solution maybe comes out of ignorance or maybe it's just how they consider the simplest method to achieve that.

                  If I implement any other measure that accomplishes this, then they would be fine. I believe they just plug a laptop in and see if they get an address from DHCP or not.

                  Nope, look again. Their goal is literally to have all devices be static. They don't care if people access the network as long as the device IPs are statically assigned.

                  No. THat's the damned suggestion.

                  Right... that's what we are saying. They are NOT suggesting that you secure your environment, they are suggesting that you use static IPs.

                  You are trying to find things that are implied that are not there. There is no need to "read into this", it's very clear. They want you on static IPs, and for reasons that aren't about security (they even point out that it is not about security!)

                  gouges own eyes out

                  ok. Game over. gg. Static mapped it is.

                  Which I'm arguing is the bad route to go. I mean, obviously, pick your battles, but damn bad network design is bad network design.

                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @coliver
                    last edited by

                    @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                    @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                    @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                    @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                    @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                    @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                    @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                    @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                    @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                    I'm not trying to point fingers or anything. I'm trying to help you see that you can't be in charge of IT and have someone else calling the IT shots. You can't be focused on security while actively covering up security gaps.

                    I totally understand being put in a position where you feel responsible for the security AND to meet crazy needs. But at the end of the day, someone is culpable for intentional gaps and you need to know who that is. If it is you, you need to stand up and say "this doesn't secure us and the auditors are scamming us", or you need to say to yourself "my goal is to keep the boss happy and if I secure some stuff along the way, fine."

                    Doing this won't actively reduce security, it just makes it seem like things are more secure than they are.

                    Something to keep in your pocket - pressuring you to do things and lying about being a security audit could qualify as "social engineering" and give you strong legal leverage against the auditor.

                    I am just trying to figure out the best method to avoid having unauthorized systems connected to our network. Furthermore, it seems like there are a LOT of options and so now I am in the boat of which the hell one do I pick? Sigh

                    Well, not quite. If you were only trying to figure the first part out, that's NAC and doesn't have anything to do with the question asked. If you are trying to meet the requirements of the audit, it has nothing to do with systems not connecting or security, but requires static.

                    Two completely different things. Your "I'm only trying" point is what I assumed your original goal was, but doesn't match the audit needs nor the asked topic.

                    No.. The goal here is to not have unauthorized devices able to connect to the network as an additional security measure. Their solution maybe comes out of ignorance or maybe it's just how they consider the simplest method to achieve that.

                    If I implement any other measure that accomplishes this, then they would be fine. I believe they just plug a laptop in and see if they get an address from DHCP or not.

                    Nope, look again. Their goal is literally to have all devices be static. They don't care if people access the network as long as the device IPs are statically assigned.

                    No. THat's the damned suggestion.

                    Right... that's what we are saying. They are NOT suggesting that you secure your environment, they are suggesting that you use static IPs.

                    You are trying to find things that are implied that are not there. There is no need to "read into this", it's very clear. They want you on static IPs, and for reasons that aren't about security (they even point out that it is not about security!)

                    gouges own eyes out

                    ok. Game over. gg. Static mapped it is.

                    Which I'm arguing is the bad route to go. I mean, obviously, pick your battles, but damn bad network design is bad network design.

                    Not the end of the world. A bunch of extra work for no reason, but whatever.

                    DustinB3403D dave247D 2 Replies Last reply Reply Quote 0
                    • coliverC
                      coliver
                      last edited by coliver

                      I should say that I'm not really judging you or your experience, etc. This whole audit thing is just bizarre to me.

                      I know a few auditors who go into companies to do court-ordered cleanings of systems. They are corrupt, sometimes leaving obvious information behind and telling the judge "We may not have gotten everything" of course the company paying them can't really do anything but pay for them to come in again and of course judges don't understand technology so they mandate it again. It's just crazy.

                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                      • DustinB3403D
                        DustinB3403 @scottalanmiller
                        last edited by

                        @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                        @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                        @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                        @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                        @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                        @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                        @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                        @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                        @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                        @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                        I'm not trying to point fingers or anything. I'm trying to help you see that you can't be in charge of IT and have someone else calling the IT shots. You can't be focused on security while actively covering up security gaps.

                        I totally understand being put in a position where you feel responsible for the security AND to meet crazy needs. But at the end of the day, someone is culpable for intentional gaps and you need to know who that is. If it is you, you need to stand up and say "this doesn't secure us and the auditors are scamming us", or you need to say to yourself "my goal is to keep the boss happy and if I secure some stuff along the way, fine."

                        Doing this won't actively reduce security, it just makes it seem like things are more secure than they are.

                        Something to keep in your pocket - pressuring you to do things and lying about being a security audit could qualify as "social engineering" and give you strong legal leverage against the auditor.

                        I am just trying to figure out the best method to avoid having unauthorized systems connected to our network. Furthermore, it seems like there are a LOT of options and so now I am in the boat of which the hell one do I pick? Sigh

                        Well, not quite. If you were only trying to figure the first part out, that's NAC and doesn't have anything to do with the question asked. If you are trying to meet the requirements of the audit, it has nothing to do with systems not connecting or security, but requires static.

                        Two completely different things. Your "I'm only trying" point is what I assumed your original goal was, but doesn't match the audit needs nor the asked topic.

                        No.. The goal here is to not have unauthorized devices able to connect to the network as an additional security measure. Their solution maybe comes out of ignorance or maybe it's just how they consider the simplest method to achieve that.

                        If I implement any other measure that accomplishes this, then they would be fine. I believe they just plug a laptop in and see if they get an address from DHCP or not.

                        Nope, look again. Their goal is literally to have all devices be static. They don't care if people access the network as long as the device IPs are statically assigned.

                        No. THat's the damned suggestion.

                        Right... that's what we are saying. They are NOT suggesting that you secure your environment, they are suggesting that you use static IPs.

                        You are trying to find things that are implied that are not there. There is no need to "read into this", it's very clear. They want you on static IPs, and for reasons that aren't about security (they even point out that it is not about security!)

                        gouges own eyes out

                        ok. Game over. gg. Static mapped it is.

                        Which I'm arguing is the bad route to go. I mean, obviously, pick your battles, but damn bad network design is bad network design.

                        Not the end of the world. A bunch of extra work for no reason, but whatever.

                        The extra work is for implied "aiding network management".

                        1 Reply Last reply Reply Quote 0
                        • DashrenderD
                          Dashrender @scottalanmiller
                          last edited by

                          @scottalanmiller said in [Best way to secure DHCP so that not just anyone can plug their PC in and

                          The toughest part here is.... what is your job? I mean that literally. Is it to "do what your boss says" or is it to "work around the boss and protect the company from themselves?"

                          Can we have this question made into it's own topic?

                          1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @coliver
                            last edited by

                            @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                            I should say that I'm not really judging you or your experience, etc. This whole audit thing is just bizarre to me.

                            This is par for the course. Most security audits are scams. If your team knew security, you'd not need an audit. So by the nature of paying someone to do an audit, they pretty much assume that they can take advantage of the situation. All of the money is in that scam.

                            dave247D DashrenderD 2 Replies Last reply Reply Quote 2
                            • dave247D
                              dave247 @scottalanmiller
                              last edited by

                              @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                              @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                              @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                              @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                              @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                              @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                              @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                              @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                              @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                              @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                              I'm not trying to point fingers or anything. I'm trying to help you see that you can't be in charge of IT and have someone else calling the IT shots. You can't be focused on security while actively covering up security gaps.

                              I totally understand being put in a position where you feel responsible for the security AND to meet crazy needs. But at the end of the day, someone is culpable for intentional gaps and you need to know who that is. If it is you, you need to stand up and say "this doesn't secure us and the auditors are scamming us", or you need to say to yourself "my goal is to keep the boss happy and if I secure some stuff along the way, fine."

                              Doing this won't actively reduce security, it just makes it seem like things are more secure than they are.

                              Something to keep in your pocket - pressuring you to do things and lying about being a security audit could qualify as "social engineering" and give you strong legal leverage against the auditor.

                              I am just trying to figure out the best method to avoid having unauthorized systems connected to our network. Furthermore, it seems like there are a LOT of options and so now I am in the boat of which the hell one do I pick? Sigh

                              Well, not quite. If you were only trying to figure the first part out, that's NAC and doesn't have anything to do with the question asked. If you are trying to meet the requirements of the audit, it has nothing to do with systems not connecting or security, but requires static.

                              Two completely different things. Your "I'm only trying" point is what I assumed your original goal was, but doesn't match the audit needs nor the asked topic.

                              No.. The goal here is to not have unauthorized devices able to connect to the network as an additional security measure. Their solution maybe comes out of ignorance or maybe it's just how they consider the simplest method to achieve that.

                              If I implement any other measure that accomplishes this, then they would be fine. I believe they just plug a laptop in and see if they get an address from DHCP or not.

                              Nope, look again. Their goal is literally to have all devices be static. They don't care if people access the network as long as the device IPs are statically assigned.

                              No. THat's the damned suggestion.

                              Right... that's what we are saying. They are NOT suggesting that you secure your environment, they are suggesting that you use static IPs.

                              You are trying to find things that are implied that are not there. There is no need to "read into this", it's very clear. They want you on static IPs, and for reasons that aren't about security (they even point out that it is not about security!)

                              gouges own eyes out

                              ok. Game over. gg. Static mapped it is.

                              Which I'm arguing is the bad route to go. I mean, obviously, pick your battles, but damn bad network design is bad network design.

                              Not the end of the world. A bunch of extra work for no reason, but whatever.

                              shakes pepper into own eyes

                              scottalanmillerS coliverC 2 Replies Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @dave247
                                last edited by

                                @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                I'm not trying to point fingers or anything. I'm trying to help you see that you can't be in charge of IT and have someone else calling the IT shots. You can't be focused on security while actively covering up security gaps.

                                I totally understand being put in a position where you feel responsible for the security AND to meet crazy needs. But at the end of the day, someone is culpable for intentional gaps and you need to know who that is. If it is you, you need to stand up and say "this doesn't secure us and the auditors are scamming us", or you need to say to yourself "my goal is to keep the boss happy and if I secure some stuff along the way, fine."

                                Doing this won't actively reduce security, it just makes it seem like things are more secure than they are.

                                Something to keep in your pocket - pressuring you to do things and lying about being a security audit could qualify as "social engineering" and give you strong legal leverage against the auditor.

                                I am just trying to figure out the best method to avoid having unauthorized systems connected to our network. Furthermore, it seems like there are a LOT of options and so now I am in the boat of which the hell one do I pick? Sigh

                                Well, not quite. If you were only trying to figure the first part out, that's NAC and doesn't have anything to do with the question asked. If you are trying to meet the requirements of the audit, it has nothing to do with systems not connecting or security, but requires static.

                                Two completely different things. Your "I'm only trying" point is what I assumed your original goal was, but doesn't match the audit needs nor the asked topic.

                                No.. The goal here is to not have unauthorized devices able to connect to the network as an additional security measure. Their solution maybe comes out of ignorance or maybe it's just how they consider the simplest method to achieve that.

                                If I implement any other measure that accomplishes this, then they would be fine. I believe they just plug a laptop in and see if they get an address from DHCP or not.

                                Nope, look again. Their goal is literally to have all devices be static. They don't care if people access the network as long as the device IPs are statically assigned.

                                No. THat's the damned suggestion.

                                Right... that's what we are saying. They are NOT suggesting that you secure your environment, they are suggesting that you use static IPs.

                                You are trying to find things that are implied that are not there. There is no need to "read into this", it's very clear. They want you on static IPs, and for reasons that aren't about security (they even point out that it is not about security!)

                                gouges own eyes out

                                ok. Game over. gg. Static mapped it is.

                                Which I'm arguing is the bad route to go. I mean, obviously, pick your battles, but damn bad network design is bad network design.

                                Not the end of the world. A bunch of extra work for no reason, but whatever.

                                shakes pepper into own eyes

                                I did that once. It was a mistake.

                                1 Reply Last reply Reply Quote 0
                                • coliverC
                                  coliver @dave247
                                  last edited by

                                  @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                  I'm not trying to point fingers or anything. I'm trying to help you see that you can't be in charge of IT and have someone else calling the IT shots. You can't be focused on security while actively covering up security gaps.

                                  I totally understand being put in a position where you feel responsible for the security AND to meet crazy needs. But at the end of the day, someone is culpable for intentional gaps and you need to know who that is. If it is you, you need to stand up and say "this doesn't secure us and the auditors are scamming us", or you need to say to yourself "my goal is to keep the boss happy and if I secure some stuff along the way, fine."

                                  Doing this won't actively reduce security, it just makes it seem like things are more secure than they are.

                                  Something to keep in your pocket - pressuring you to do things and lying about being a security audit could qualify as "social engineering" and give you strong legal leverage against the auditor.

                                  I am just trying to figure out the best method to avoid having unauthorized systems connected to our network. Furthermore, it seems like there are a LOT of options and so now I am in the boat of which the hell one do I pick? Sigh

                                  Well, not quite. If you were only trying to figure the first part out, that's NAC and doesn't have anything to do with the question asked. If you are trying to meet the requirements of the audit, it has nothing to do with systems not connecting or security, but requires static.

                                  Two completely different things. Your "I'm only trying" point is what I assumed your original goal was, but doesn't match the audit needs nor the asked topic.

                                  No.. The goal here is to not have unauthorized devices able to connect to the network as an additional security measure. Their solution maybe comes out of ignorance or maybe it's just how they consider the simplest method to achieve that.

                                  If I implement any other measure that accomplishes this, then they would be fine. I believe they just plug a laptop in and see if they get an address from DHCP or not.

                                  Nope, look again. Their goal is literally to have all devices be static. They don't care if people access the network as long as the device IPs are statically assigned.

                                  No. THat's the damned suggestion.

                                  Right... that's what we are saying. They are NOT suggesting that you secure your environment, they are suggesting that you use static IPs.

                                  You are trying to find things that are implied that are not there. There is no need to "read into this", it's very clear. They want you on static IPs, and for reasons that aren't about security (they even point out that it is not about security!)

                                  gouges own eyes out

                                  ok. Game over. gg. Static mapped it is.

                                  Which I'm arguing is the bad route to go. I mean, obviously, pick your battles, but damn bad network design is bad network design.

                                  Not the end of the world. A bunch of extra work for no reason, but whatever.

                                  shakes pepper into own eyes

                                  The chili powder is more effective.

                                  dave247D 1 Reply Last reply Reply Quote 0
                                  • dave247D
                                    dave247 @scottalanmiller
                                    last edited by dave247

                                    @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                    @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                    I should say that I'm not really judging you or your experience, etc. This whole audit thing is just bizarre to me.

                                    This is par for the course. Most security audits are scams. If your team knew security, you'd not need an audit. So by the nature of paying someone to do an audit, they pretty much assume that they can take advantage of the situation. All of the money is in that scam.

                                    Well I'm at a bank, and the banks are under the various banking cartel systems and so we have imposed on us the need for these audits and stuff, so we have to spend shitloads of money on 3rd party security firms and stuff. I can't get out of having audits.

                                    DustinB3403D stacksofplatesS scottalanmillerS 3 Replies Last reply Reply Quote 0
                                    • DustinB3403D
                                      DustinB3403 @dave247
                                      last edited by

                                      @dave247 How many devices are being discussed here?

                                      1 Reply Last reply Reply Quote 0
                                      • stacksofplatesS
                                        stacksofplates @dave247
                                        last edited by

                                        @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                        @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                        @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                        I should say that I'm not really judging you or your experience, etc. This whole audit thing is just bizarre to me.

                                        This is par for the course. Most security audits are scams. If your team knew security, you'd not need an audit. So by the nature of paying someone to do an audit, they pretty much assume that they can take advantage of the situation. All of the money is in that scam.

                                        Well I'm at a bank, and the banks are under the various banking cartel systems and so we have imposed on us the need for these audits and stuff.

                                        I get them from DSS/DoD. Come sit through one of ours for some fun

                                        1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @dave247
                                          last edited by

                                          @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                          @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                          @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                          I should say that I'm not really judging you or your experience, etc. This whole audit thing is just bizarre to me.

                                          This is par for the course. Most security audits are scams. If your team knew security, you'd not need an audit. So by the nature of paying someone to do an audit, they pretty much assume that they can take advantage of the situation. All of the money is in that scam.

                                          Well I'm at a bank, and the banks are under the various banking cartel systems and so we have imposed on us the need for these audits and stuff.

                                          I worked for a bank and we didn't have that. We had internal auditors, and we'd kick them out for incompetence. They'd literally demand that we do things like shut down the connections to the NY Stock Exchange claiming it was an "unneeded link."

                                          dave247D 1 Reply Last reply Reply Quote 1
                                          • dave247D
                                            dave247 @coliver
                                            last edited by

                                            @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            @scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

                                            I'm not trying to point fingers or anything. I'm trying to help you see that you can't be in charge of IT and have someone else calling the IT shots. You can't be focused on security while actively covering up security gaps.

                                            I totally understand being put in a position where you feel responsible for the security AND to meet crazy needs. But at the end of the day, someone is culpable for intentional gaps and you need to know who that is. If it is you, you need to stand up and say "this doesn't secure us and the auditors are scamming us", or you need to say to yourself "my goal is to keep the boss happy and if I secure some stuff along the way, fine."

                                            Doing this won't actively reduce security, it just makes it seem like things are more secure than they are.

                                            Something to keep in your pocket - pressuring you to do things and lying about being a security audit could qualify as "social engineering" and give you strong legal leverage against the auditor.

                                            I am just trying to figure out the best method to avoid having unauthorized systems connected to our network. Furthermore, it seems like there are a LOT of options and so now I am in the boat of which the hell one do I pick? Sigh

                                            Well, not quite. If you were only trying to figure the first part out, that's NAC and doesn't have anything to do with the question asked. If you are trying to meet the requirements of the audit, it has nothing to do with systems not connecting or security, but requires static.

                                            Two completely different things. Your "I'm only trying" point is what I assumed your original goal was, but doesn't match the audit needs nor the asked topic.

                                            No.. The goal here is to not have unauthorized devices able to connect to the network as an additional security measure. Their solution maybe comes out of ignorance or maybe it's just how they consider the simplest method to achieve that.

                                            If I implement any other measure that accomplishes this, then they would be fine. I believe they just plug a laptop in and see if they get an address from DHCP or not.

                                            Nope, look again. Their goal is literally to have all devices be static. They don't care if people access the network as long as the device IPs are statically assigned.

                                            No. THat's the damned suggestion.

                                            Right... that's what we are saying. They are NOT suggesting that you secure your environment, they are suggesting that you use static IPs.

                                            You are trying to find things that are implied that are not there. There is no need to "read into this", it's very clear. They want you on static IPs, and for reasons that aren't about security (they even point out that it is not about security!)

                                            gouges own eyes out

                                            ok. Game over. gg. Static mapped it is.

                                            Which I'm arguing is the bad route to go. I mean, obviously, pick your battles, but damn bad network design is bad network design.

                                            Not the end of the world. A bunch of extra work for no reason, but whatever.

                                            shakes pepper into own eyes

                                            The chili powder is more effective.

                                            I need to leave something for after I deploy static addresses again.

                                            stacksofplatesS 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 10
                                            • 11
                                            • 4 / 11
                                            • First post
                                              Last post