Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP)

JaredBusch

Disabling wall jacks is helpful. But what do you do when someone plugs into a live one. Or unplugs a live one to plug in their device.

When you start down this route, these are the issues you will encounter.

NAC sounds like what you actually want.

Disable DHCP totally get a NAC solution.

coliver

I'm surprised that @scottalanmiller hasn't posted his LAN-Less video yet.

dave247

@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

If security was teh goal, NAC is what is needed.

There a ton of decent NAC product. Even Microsoft's own will do what you want. https://packetfence.org/

But realistically if they come in and plug in to a live jack what will they have access to? Security comes in layers, why is having access to the network important if you have everything locked behind credentials?

Well I work at a financial institution and we have regular audits and exams and one of the things that has been asked in the past is if the auditor can plug their laptop into a jack and get an IP address. If yes, then we get a mark.

And yes, I know that it should be about real security, not about satisfying one of the items on a checklist. I am trying to take care of both here.

dave247

@jaredbusch said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

Disabling wall jacks is helpful. But what do you do when someone plugs into a live one. Or unplugs a live one to plug in their device.

When you start down this route, these are the issues you will encounter.

NAC sounds like what you actually want.

Disable DHCP totally get a NAC solution.

A NAC solution? As in a separate product? Doesn't Windows have one, like the Network Access Protection via the Network Policy Server?

coliver

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

Well I work at a financial institution and we have regular audits and exams and one of the things that has been asked in the past is if the auditor can plug their laptop into a jack and get an IP address. If yes, then we get a mark.

Wow... I know financial audits are crazy but that's the first time I've heard of that.

Look into a NAC solution. I've heard good things about PacketFence but Microsoft also has one. You'll need to ensure your switches support 802.1x for most of these solutions.

JaredBusch

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

If security was teh goal, NAC is what is needed.

There a ton of decent NAC product. Even Microsoft's own will do what you want. https://packetfence.org/

But realistically if they come in and plug in to a live jack what will they have access to? Security comes in layers, why is having access to the network important if you have everything locked behind credentials?

Well I work at a financial institution and we have regular audits and exams and one of the things that has been asked in the past is if the auditor can plug their laptop into a jack and get an IP address. If yes, then we get a mark.

And yes, I know that it should be about real security, not about satisfying one of the items on a checklist. I am trying to take care of both here.

There we go, a reason that means nothing. I can plug in my laptop, not get an IP, and stll figure out what the IP scheme is on your network. This is trivial stuff.

Disabling open ports would satisfy this requirement unless they do something stupid like unplug a valid machine from the network for their checklist.

coliver

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@jaredbusch said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

Disabling wall jacks is helpful. But what do you do when someone plugs into a live one. Or unplugs a live one to plug in their device.

When you start down this route, these are the issues you will encounter.

NAC sounds like what you actually want.

Disable DHCP totally get a NAC solution.

A NAC solution? As in a separate product? Doesn't Windows have one, like the Network Access Protection via the Network Policy Server?

It does yes. It's not bad and will, probably, do what you want. But it leaves a lot to be desired with reporting and actual usage can be a pain in the ass.

DustinB3403

BMW also had this kind of audit requirement and we simply took the point, and when it came to discussing it we sai the very same thing as @JaredBusch said.

And the point was removed because the "Audit" fails the "Logic Test".

dave247

@jaredbusch said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

If security was teh goal, NAC is what is needed.

There a ton of decent NAC product. Even Microsoft's own will do what you want. https://packetfence.org/

But realistically if they come in and plug in to a live jack what will they have access to? Security comes in layers, why is having access to the network important if you have everything locked behind credentials?

Well I work at a financial institution and we have regular audits and exams and one of the things that has been asked in the past is if the auditor can plug their laptop into a jack and get an IP address. If yes, then we get a mark.

And yes, I know that it should be about real security, not about satisfying one of the items on a checklist. I am trying to take care of both here.

There we go, a reason that means nothing. I can plug in my laptop, not get an IP, and stll figure out what the IP scheme is on your network. This is trivial stuff.

Yeah, no shit. I tried explaining this to my boss but he does not understand. This is another problem, I know. I am just trying to come up with a reasonable solution for this.

Disabling open ports would satisfy this requirement unless they do something stupid like unplug a valid machine from the network for their checklist.

Yeah I don't know if they would go that far. I doubt any of them actually understand networking so I have to take ignorance into account.

scottalanmiller

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

If security was teh goal, NAC is what is needed.

As in, on the switches or what? Sorry, please elaborate.

Yes, on the network itself so that the end points may or may not get an IP address, but are then tested to see if they are allowed on the network (using one of several NAC protocols) and if they are allowed on, then they are allowed access and if not, the switch or some other mechanism on the network cuts them off.

DustinB3403

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@jaredbusch said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

If security was teh goal, NAC is what is needed.

There a ton of decent NAC product. Even Microsoft's own will do what you want. https://packetfence.org/

But realistically if they come in and plug in to a live jack what will they have access to? Security comes in layers, why is having access to the network important if you have everything locked behind credentials?

Well I work at a financial institution and we have regular audits and exams and one of the things that has been asked in the past is if the auditor can plug their laptop into a jack and get an IP address. If yes, then we get a mark.

And yes, I know that it should be about real security, not about satisfying one of the items on a checklist. I am trying to take care of both here.

There we go, a reason that means nothing. I can plug in my laptop, not get an IP, and stll figure out what the IP scheme is on your network. This is trivial stuff.

Yeah, no shit. I tried explaining this to my boss but he does not understand. This is another problem, I know. I am just trying to come up with a reasonable solution for this.

Disabling open ports would satisfy this requirement unless they do something stupid like unplug a valid machine from the network for their checklist.

Yeah I don't know if they would go that far. I doubt any of them actually understand networking so I have to take ignorance into account.

You don't need to address ignorance. Simply explain that enabling MAC filtering or disabling DHCP handouts isn't going to protect your network any more than simply unplugging unused jacks.

At least with unused jacks being unplugged, someone would actively have to fumble around a computer or under/behind a desk or computer to unplug that system and plug in theirs.

Trust me, the point will be ignored when you explain it to the Auditors this way.

scottalanmiller

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

If security was teh goal, NAC is what is needed.

There a ton of decent NAC product. Even Microsoft's own will do what you want. https://packetfence.org/

But realistically if they come in and plug in to a live jack what will they have access to? Security comes in layers, why is having access to the network important if you have everything locked behind credentials?

Well I work at a financial institution and we have regular audits and exams and one of the things that has been asked in the past is if the auditor can plug their laptop into a jack and get an IP address. If yes, then we get a mark.

And yes, I know that it should be about real security, not about satisfying one of the items on a checklist. I am trying to take care of both here.

THat's a scam auditor. Who would care about something so silly?

You have three issues...

• Having a fake audit.
• Passing the audit.
• Security.

I get not handing out an IP to satisfy the checkbox on the fake audit. But I'd run up the flagpole the issue that your auditor doesn't even begin to know what he is doing. Why pay for an audit that doesn't look at security?

scottalanmiller

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@jaredbusch said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

If security was teh goal, NAC is what is needed.

There a ton of decent NAC product. Even Microsoft's own will do what you want. https://packetfence.org/

But realistically if they come in and plug in to a live jack what will they have access to? Security comes in layers, why is having access to the network important if you have everything locked behind credentials?

Well I work at a financial institution and we have regular audits and exams and one of the things that has been asked in the past is if the auditor can plug their laptop into a jack and get an IP address. If yes, then we get a mark.

And yes, I know that it should be about real security, not about satisfying one of the items on a checklist. I am trying to take care of both here.

There we go, a reason that means nothing. I can plug in my laptop, not get an IP, and stll figure out what the IP scheme is on your network. This is trivial stuff.

Yeah, no shit. I tried explaining this to my boss but he does not understand. This is another problem, I know. I am just trying to come up with a reasonable solution for this.

Disabling open ports would satisfy this requirement unless they do something stupid like unplug a valid machine from the network for their checklist.

Yeah I don't know if they would go that far. I doubt any of them actually understand networking so I have to take ignorance into account.

So you have to ask yourself.... is security in any way an actual goal? Sounds like a solid "no". At some point you have to decide if you are trying to fix the network and provide security, or if you are trying to do what your boss wants and your "goal" is defined as "faking it for political reasons." At which point, I'd say that your "turning off unused ports" is the best way to go.

scottalanmiller

This gets complex because you are trying to merge the needs of a "real" goal: security, with a "political" goal, satisfying a clueless boss and fake audit.

That's hard because the two don't overlap. In this case they are not directly opposed, but they sure don't line up in any way.

This would verge, though, on an intentional security coverup and at some point you might want to go higher in the chain and point out that you have both an auditor and your boss working hard to pretend that they are securing something but are, quite obviously, not doing it.

The question is... are they trying to scam the government? Or are they trying to scam the owners? Do you think that the owners are aware and are participating in the scam, or are in for a big surprise that they were sold security that was never performed?

dave247

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

This gets complex because you are trying to merge the needs of a "real" goal: security, with a "political" goal, satisfying a clueless boss and fake audit.

That's hard because the two don't overlap. In this case they are not directly opposed, but they sure don't line up in any way.

This would verge, though, on an intentional security coverup and at some point you might want to go higher in the chain and point out that you have both an auditor and your boss working hard to pretend that they are securing something but are, quite obviously, not doing it.

The question is... are they trying to scam the government? Or are they trying to scam the owners? Do you think that the owners are aware and are participating in the scam, or are in for a big surprise that they were sold security that was never performed?

I totally hear you Scott. I think there's enough of a real security concern, but at the same time, people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.

I'm going to just do my job and come up with a solution as long as I have time. Worst case scenario, I just implement static addresses again so we don't get dinged on an audit.

scottalanmiller

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

This gets complex because you are trying to merge the needs of a "real" goal: security, with a "political" goal, satisfying a clueless boss and fake audit.

That's hard because the two don't overlap. In this case they are not directly opposed, but they sure don't line up in any way.

This would verge, though, on an intentional security coverup and at some point you might want to go higher in the chain and point out that you have both an auditor and your boss working hard to pretend that they are securing something but are, quite obviously, not doing it.

The question is... are they trying to scam the government? Or are they trying to scam the owners? Do you think that the owners are aware and are participating in the scam, or are in for a big surprise that they were sold security that was never performed?

I totally hear you Scott. I think there's enough of a real security concern, but at the same time, people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.

I'm going to just do my job and come up with a solution as long as I have time. Worst case scenario, I just implement static addresses again so we don't get dinged on an audit.

The toughest part here is.... what is your job? I mean that literally. Is it to "do what your boss says" or is it to "work around the boss and protect the company from themselves?"

scottalanmiller

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.

"Was" makes sense, but sounds like someone decided that other things are more important. Things that appear to be directly covering up the change of priority. Which is why I wonder at what level that cover up happened. I've seen many an "IT Manager" do things like this to hide from the owners that they didn't know how to do what was needed, but did know how to make it appear reasonable that they were taking action of some sort.

dave247

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

This gets complex because you are trying to merge the needs of a "real" goal: security, with a "political" goal, satisfying a clueless boss and fake audit.

That's hard because the two don't overlap. In this case they are not directly opposed, but they sure don't line up in any way.

This would verge, though, on an intentional security coverup and at some point you might want to go higher in the chain and point out that you have both an auditor and your boss working hard to pretend that they are securing something but are, quite obviously, not doing it.

The question is... are they trying to scam the government? Or are they trying to scam the owners? Do you think that the owners are aware and are participating in the scam, or are in for a big surprise that they were sold security that was never performed?

I totally hear you Scott. I think there's enough of a real security concern, but at the same time, people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.

I'm going to just do my job and come up with a solution as long as I have time. Worst case scenario, I just implement static addresses again so we don't get dinged on an audit.

The toughest part here is.... what is your job? I mean that literally. Is it to "do what your boss says" or is it to "work around the boss and protect the company from themselves?"

My job is to manage all things IT in our company and I do that job pretty well I think. At the same time, I have to satisfy audit needs and my boss is in charge of making sure I'm on track. Not every portion of the audit is this stupid and I am just trying to make sure we don't get dinged on anything we don't have to.

DustinB3403

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

This gets complex because you are trying to merge the needs of a "real" goal: security, with a "political" goal, satisfying a clueless boss and fake audit.

That's hard because the two don't overlap. In this case they are not directly opposed, but they sure don't line up in any way.

This would verge, though, on an intentional security coverup and at some point you might want to go higher in the chain and point out that you have both an auditor and your boss working hard to pretend that they are securing something but are, quite obviously, not doing it.

The question is... are they trying to scam the government? Or are they trying to scam the owners? Do you think that the owners are aware and are participating in the scam, or are in for a big surprise that they were sold security that was never performed?

I totally hear you Scott. I think there's enough of a real security concern, but at the same time, people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.

I'm going to just do my job and come up with a solution as long as I have time. Worst case scenario, I just implement static addresses again so we don't get dinged on an audit.

The toughest part here is.... what is your job? I mean that literally. Is it to "do what your boss says" or is it to "work around the boss and protect the company from themselves?"

My job is to manage all things IT in our company and I do that job pretty well I think. At the same time, I have to satisfy audit needs and my boss is in charge of making sure I'm on track. Not every portion of the audit is this stupid and I am just trying to make sure we don't get dinged on anything we don't have to.

So the simple answer is to unplugged every not used.

What is the exact wording of the audit question?

stacksofplates

We use ISE for NAC but I've heard good things about PacketFence.