[clug] Pop quiz.. (DHCP and servers).

Daniel Pittman daniel at rimspace.net
Wed Jan 14 02:32:11 GMT 2009 

Alex Satrapa <grail at goldweb.com.au> writes:
> On 13/01/2009, at 21:38 , Andrew Janke wrote:
>
>> Should you or shouldn't you let your servers/desktops get their IP
>> address via DHCP?
>
> DHCP allows machines to gain an IP address that shouldn't be on the
> network.

No, it doesn't.  The common configuration[1] might allow that, but it is
perfectly possible to use DHCP assignment only to known, authorized
machines.

(Not to mention that you gain *zero* real security by not running DHCP,
 since an attacker can either clone an existing IP, use NAT, or just
 guess a valid address on the network.)

> If your DHCP configuration is a bunch of MAC addresses mapped to IP
> addresses, with no dynamic allocation range, then you're actually
> doing centrally controlled IP address allocation anyway, may as well
> cut out the DHCP server and just lock down the configuration.

You are, but...

> But that's just me being a control freak.

...the but here is that using DHCP to allocate static details out to the
end machines allows you to control a whole lot of stuff centrally: the
address, network mask, router, DNS server, as well as various other
services such as NTP.

It allows just as much fixed configuration, but with central
management.  That actually makes it easier to control your network.

(If you already have a central management solution like puppet things
 are different, of course. :)


> The main issue for me is that in a work environment, I may be in the
> situation of having to provide evidence in court that certain
> activities took place from a certain workstation at a specific time.

...so, you use 802.1x authentication at the switch level to ensure that
only authorized communication is taking place, as well as monitoring for
anomalies such as multiple OS TCP stacks behind a single MAC in order to
avoid dubious stuff happening, right?

Regards,
        Daniel

Footnotes: 
[1]  I would say default, but by default most DHCP servers refuse to do
     anything these days.

More information about the linux mailing list