Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP)
-
@stacksofplates said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
We use ISE for NAC but I've heard good things about PacketFence.
That's what we use as well.
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
This gets complex because you are trying to merge the needs of a "real" goal: security, with a "political" goal, satisfying a clueless boss and fake audit.
That's hard because the two don't overlap. In this case they are not directly opposed, but they sure don't line up in any way.
This would verge, though, on an intentional security coverup and at some point you might want to go higher in the chain and point out that you have both an auditor and your boss working hard to pretend that they are securing something but are, quite obviously, not doing it.
The question is... are they trying to scam the government? Or are they trying to scam the owners? Do you think that the owners are aware and are participating in the scam, or are in for a big surprise that they were sold security that was never performed?
I totally hear you Scott. I think there's enough of a real security concern, but at the same time, people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.
I'm going to just do my job and come up with a solution as long as I have time. Worst case scenario, I just implement static addresses again so we don't get dinged on an audit.
The toughest part here is.... what is your job? I mean that literally. Is it to "do what your boss says" or is it to "work around the boss and protect the company from themselves?"
My job is to manage all things IT in our company and I do that job pretty well I think. At the same time, I have to satisfy audit needs and my boss is in charge of making sure I'm on track. Not every portion of the audit is this stupid and I am just trying to make sure we don't get dinged on anything we don't have to.
But your boss is not making sure that you are on track, so you have a conflict here that I think you haven't addressed in your own mind which makes this harder for you. You have conflicting goals. Your boss is making IT decisions, so you aren't in charge of all of IT. He's in charge of at least some of it, and maybe someone above him is in charge of some.
Let's ask it in a way that doesn't allow for the murkiness.... if the cops showed up at your door due to a breach and found out that a fake audit had been done and the security had been covered up and that a breach had been enabled because something like NAC was skipped.... who would be the one they came looking for, you or your boss, or his boss?
Someone is legally responsible for the decisions on how secure to be. Knowing that will tell you if your goal is security, or making the boss happy.
-
I'm not trying to point fingers or anything. I'm trying to help you see that you can't be in charge of IT and have someone else calling the IT shots. You can't be focused on security while actively covering up security gaps.
I totally understand being put in a position where you feel responsible for the security AND to meet crazy needs. But at the end of the day, someone is culpable for intentional gaps and you need to know who that is. If it is you, you need to stand up and say "this doesn't secure us and the auditors are scamming us", or you need to say to yourself "my goal is to keep the boss happy and if I secure some stuff along the way, fine."
Doing this won't actively reduce security, it just makes it seem like things are more secure than they are.
Something to keep in your pocket - pressuring you to do things and lying about being a security audit could qualify as "social engineering" and give you strong legal leverage against the auditor.
-
@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
This gets complex because you are trying to merge the needs of a "real" goal: security, with a "political" goal, satisfying a clueless boss and fake audit.
That's hard because the two don't overlap. In this case they are not directly opposed, but they sure don't line up in any way.
This would verge, though, on an intentional security coverup and at some point you might want to go higher in the chain and point out that you have both an auditor and your boss working hard to pretend that they are securing something but are, quite obviously, not doing it.
The question is... are they trying to scam the government? Or are they trying to scam the owners? Do you think that the owners are aware and are participating in the scam, or are in for a big surprise that they were sold security that was never performed?
I totally hear you Scott. I think there's enough of a real security concern, but at the same time, people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.
I'm going to just do my job and come up with a solution as long as I have time. Worst case scenario, I just implement static addresses again so we don't get dinged on an audit.
The toughest part here is.... what is your job? I mean that literally. Is it to "do what your boss says" or is it to "work around the boss and protect the company from themselves?"
My job is to manage all things IT in our company and I do that job pretty well I think. At the same time, I have to satisfy audit needs and my boss is in charge of making sure I'm on track. Not every portion of the audit is this stupid and I am just trying to make sure we don't get dinged on anything we don't have to.
So the simple answer is to unplugged every not used.
What is the exact wording of the audit question?
I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:
Static IP Address Assignment
Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
Standards Mapping:
Control Type: (Project)
NIST Cybersecurity Framework: PR.AC-4
NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
Control Class: Technical -
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
This gets complex because you are trying to merge the needs of a "real" goal: security, with a "political" goal, satisfying a clueless boss and fake audit.
That's hard because the two don't overlap. In this case they are not directly opposed, but they sure don't line up in any way.
This would verge, though, on an intentional security coverup and at some point you might want to go higher in the chain and point out that you have both an auditor and your boss working hard to pretend that they are securing something but are, quite obviously, not doing it.
The question is... are they trying to scam the government? Or are they trying to scam the owners? Do you think that the owners are aware and are participating in the scam, or are in for a big surprise that they were sold security that was never performed?
I totally hear you Scott. I think there's enough of a real security concern, but at the same time, people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.
I'm going to just do my job and come up with a solution as long as I have time. Worst case scenario, I just implement static addresses again so we don't get dinged on an audit.
The toughest part here is.... what is your job? I mean that literally. Is it to "do what your boss says" or is it to "work around the boss and protect the company from themselves?"
My job is to manage all things IT in our company and I do that job pretty well I think. At the same time, I have to satisfy audit needs and my boss is in charge of making sure I'm on track. Not every portion of the audit is this stupid and I am just trying to make sure we don't get dinged on anything we don't have to.
So the simple answer is to unplugged every not used.
What is the exact wording of the audit question?
I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:
Static IP Address Assignment
Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
Standards Mapping:
Control Type: (Project)
NIST Cybersecurity Framework: PR.AC-4
NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
Control Class: TechnicalSo if you go by that, they are telling you that they want static, not controlled DHCP.
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
This gets complex because you are trying to merge the needs of a "real" goal: security, with a "political" goal, satisfying a clueless boss and fake audit.
That's hard because the two don't overlap. In this case they are not directly opposed, but they sure don't line up in any way.
This would verge, though, on an intentional security coverup and at some point you might want to go higher in the chain and point out that you have both an auditor and your boss working hard to pretend that they are securing something but are, quite obviously, not doing it.
The question is... are they trying to scam the government? Or are they trying to scam the owners? Do you think that the owners are aware and are participating in the scam, or are in for a big surprise that they were sold security that was never performed?
I totally hear you Scott. I think there's enough of a real security concern, but at the same time, people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.
I'm going to just do my job and come up with a solution as long as I have time. Worst case scenario, I just implement static addresses again so we don't get dinged on an audit.
The toughest part here is.... what is your job? I mean that literally. Is it to "do what your boss says" or is it to "work around the boss and protect the company from themselves?"
My job is to manage all things IT in our company and I do that job pretty well I think. At the same time, I have to satisfy audit needs and my boss is in charge of making sure I'm on track. Not every portion of the audit is this stupid and I am just trying to make sure we don't get dinged on anything we don't have to.
So the simple answer is to unplugged every not used.
What is the exact wording of the audit question?
I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:
Static IP Address Assignment
Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
Standards Mapping:
Control Type: (Project)
NIST Cybersecurity Framework: PR.AC-4
NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
Control Class: TechnicalIf you're checking the box you need to go 100% static on all devices.
-
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I'm not trying to point fingers or anything. I'm trying to help you see that you can't be in charge of IT and have someone else calling the IT shots. You can't be focused on security while actively covering up security gaps.
I totally understand being put in a position where you feel responsible for the security AND to meet crazy needs. But at the end of the day, someone is culpable for intentional gaps and you need to know who that is. If it is you, you need to stand up and say "this doesn't secure us and the auditors are scamming us", or you need to say to yourself "my goal is to keep the boss happy and if I secure some stuff along the way, fine."
Doing this won't actively reduce security, it just makes it seem like things are more secure than they are.
Something to keep in your pocket - pressuring you to do things and lying about being a security audit could qualify as "social engineering" and give you strong legal leverage against the auditor.
I am just trying to figure out the best method to avoid having unauthorized systems connected to our network. Furthermore, it seems like there are a LOT of options and so now I am in the boat of which the hell one do I pick? Sigh
-
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
This gets complex because you are trying to merge the needs of a "real" goal: security, with a "political" goal, satisfying a clueless boss and fake audit.
That's hard because the two don't overlap. In this case they are not directly opposed, but they sure don't line up in any way.
This would verge, though, on an intentional security coverup and at some point you might want to go higher in the chain and point out that you have both an auditor and your boss working hard to pretend that they are securing something but are, quite obviously, not doing it.
The question is... are they trying to scam the government? Or are they trying to scam the owners? Do you think that the owners are aware and are participating in the scam, or are in for a big surprise that they were sold security that was never performed?
I totally hear you Scott. I think there's enough of a real security concern, but at the same time, people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.
I'm going to just do my job and come up with a solution as long as I have time. Worst case scenario, I just implement static addresses again so we don't get dinged on an audit.
The toughest part here is.... what is your job? I mean that literally. Is it to "do what your boss says" or is it to "work around the boss and protect the company from themselves?"
My job is to manage all things IT in our company and I do that job pretty well I think. At the same time, I have to satisfy audit needs and my boss is in charge of making sure I'm on track. Not every portion of the audit is this stupid and I am just trying to make sure we don't get dinged on anything we don't have to.
So the simple answer is to unplugged every not used.
What is the exact wording of the audit question?
I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:
Static IP Address Assignment
Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
Standards Mapping:
Control Type: (Project)
NIST Cybersecurity Framework: PR.AC-4
NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
Control Class: TechnicalIf you're checking the box you need to go 100% static on all devices.
Exactly, otherwise they might not catch it, but it won't meet their stated requirement.
-
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
This gets complex because you are trying to merge the needs of a "real" goal: security, with a "political" goal, satisfying a clueless boss and fake audit.
That's hard because the two don't overlap. In this case they are not directly opposed, but they sure don't line up in any way.
This would verge, though, on an intentional security coverup and at some point you might want to go higher in the chain and point out that you have both an auditor and your boss working hard to pretend that they are securing something but are, quite obviously, not doing it.
The question is... are they trying to scam the government? Or are they trying to scam the owners? Do you think that the owners are aware and are participating in the scam, or are in for a big surprise that they were sold security that was never performed?
I totally hear you Scott. I think there's enough of a real security concern, but at the same time, people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.
I'm going to just do my job and come up with a solution as long as I have time. Worst case scenario, I just implement static addresses again so we don't get dinged on an audit.
The toughest part here is.... what is your job? I mean that literally. Is it to "do what your boss says" or is it to "work around the boss and protect the company from themselves?"
My job is to manage all things IT in our company and I do that job pretty well I think. At the same time, I have to satisfy audit needs and my boss is in charge of making sure I'm on track. Not every portion of the audit is this stupid and I am just trying to make sure we don't get dinged on anything we don't have to.
So the simple answer is to unplugged every not used.
What is the exact wording of the audit question?
I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:
Static IP Address Assignment
Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
Standards Mapping:
Control Type: (Project)
NIST Cybersecurity Framework: PR.AC-4
NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
Control Class: TechnicalIf you're checking the box you need to go 100% static on all devices.
rips hair out
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
This gets complex because you are trying to merge the needs of a "real" goal: security, with a "political" goal, satisfying a clueless boss and fake audit.
That's hard because the two don't overlap. In this case they are not directly opposed, but they sure don't line up in any way.
This would verge, though, on an intentional security coverup and at some point you might want to go higher in the chain and point out that you have both an auditor and your boss working hard to pretend that they are securing something but are, quite obviously, not doing it.
The question is... are they trying to scam the government? Or are they trying to scam the owners? Do you think that the owners are aware and are participating in the scam, or are in for a big surprise that they were sold security that was never performed?
I totally hear you Scott. I think there's enough of a real security concern, but at the same time, people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.
I'm going to just do my job and come up with a solution as long as I have time. Worst case scenario, I just implement static addresses again so we don't get dinged on an audit.
The toughest part here is.... what is your job? I mean that literally. Is it to "do what your boss says" or is it to "work around the boss and protect the company from themselves?"
My job is to manage all things IT in our company and I do that job pretty well I think. At the same time, I have to satisfy audit needs and my boss is in charge of making sure I'm on track. Not every portion of the audit is this stupid and I am just trying to make sure we don't get dinged on anything we don't have to.
So the simple answer is to unplugged every not used.
What is the exact wording of the audit question?
I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:
Static IP Address Assignment
Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
Standards Mapping:
Control Type: (Project)
NIST Cybersecurity Framework: PR.AC-4
NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
Control Class: TechnicalIf you're checking the box you need to go 100% static on all devices.
FUUUUUUUUUUUUUUUUUUUUUUUUCK
Yep it's a nonsensical requirement that ignores the past 40 (or more years) of technological innovation.
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I'm not trying to point fingers or anything. I'm trying to help you see that you can't be in charge of IT and have someone else calling the IT shots. You can't be focused on security while actively covering up security gaps.
I totally understand being put in a position where you feel responsible for the security AND to meet crazy needs. But at the end of the day, someone is culpable for intentional gaps and you need to know who that is. If it is you, you need to stand up and say "this doesn't secure us and the auditors are scamming us", or you need to say to yourself "my goal is to keep the boss happy and if I secure some stuff along the way, fine."
Doing this won't actively reduce security, it just makes it seem like things are more secure than they are.
Something to keep in your pocket - pressuring you to do things and lying about being a security audit could qualify as "social engineering" and give you strong legal leverage against the auditor.
I am just trying to figure out the best method to avoid having unauthorized systems connected to our network. Furthermore, it seems like there are a LOT of options and so now I am in the boat of which the hell one do I pick? Sigh
Well, not quite. If you were only trying to figure the first part out, that's NAC and doesn't have anything to do with the question asked. If you are trying to meet the requirements of the audit, it has nothing to do with systems not connecting or security, but requires static.
Two completely different things. Your "I'm only trying" point is what I assumed your original goal was, but doesn't match the audit needs nor the asked topic.
-
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
This gets complex because you are trying to merge the needs of a "real" goal: security, with a "political" goal, satisfying a clueless boss and fake audit.
That's hard because the two don't overlap. In this case they are not directly opposed, but they sure don't line up in any way.
This would verge, though, on an intentional security coverup and at some point you might want to go higher in the chain and point out that you have both an auditor and your boss working hard to pretend that they are securing something but are, quite obviously, not doing it.
The question is... are they trying to scam the government? Or are they trying to scam the owners? Do you think that the owners are aware and are participating in the scam, or are in for a big surprise that they were sold security that was never performed?
I totally hear you Scott. I think there's enough of a real security concern, but at the same time, people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.
I'm going to just do my job and come up with a solution as long as I have time. Worst case scenario, I just implement static addresses again so we don't get dinged on an audit.
The toughest part here is.... what is your job? I mean that literally. Is it to "do what your boss says" or is it to "work around the boss and protect the company from themselves?"
My job is to manage all things IT in our company and I do that job pretty well I think. At the same time, I have to satisfy audit needs and my boss is in charge of making sure I'm on track. Not every portion of the audit is this stupid and I am just trying to make sure we don't get dinged on anything we don't have to.
So the simple answer is to unplugged every not used.
What is the exact wording of the audit question?
I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:
Static IP Address Assignment
Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
Standards Mapping:
Control Type: (Project)
NIST Cybersecurity Framework: PR.AC-4
NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
Control Class: TechnicalIf you're checking the box you need to go 100% static on all devices.
rips hair out
That part is clear. They state it as plain as can be in the bit that you provided. The upside is this is simple, there is only one answer that meets the requirements of the audit.
-
This might be one instance where you say "Nope, this is a stupid requirement and does nothing for us, obviously this auditor is stupid and has no idea what they're talking about. We need to look at hiring a different auditor as to better facilitate a modern network and network design."
-
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
This might be one instance where you say "Nope, this is a stupid requirement and does nothing for us, obviously this auditor is stupid and has no idea what they're talking about."
Problem is, it matches what his boss claims, I think he said.
-
So to go against the auditor would be to expose his boss, too.
-
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
This might be one instance where you say "Nope, this is a stupid requirement and does nothing for us, obviously this auditor is stupid and has no idea what they're talking about."
Problem is, it matches what his boss claims, I think he said.
It matches exactly what his boss claims.
-
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
I'm not trying to point fingers or anything. I'm trying to help you see that you can't be in charge of IT and have someone else calling the IT shots. You can't be focused on security while actively covering up security gaps.
I totally understand being put in a position where you feel responsible for the security AND to meet crazy needs. But at the end of the day, someone is culpable for intentional gaps and you need to know who that is. If it is you, you need to stand up and say "this doesn't secure us and the auditors are scamming us", or you need to say to yourself "my goal is to keep the boss happy and if I secure some stuff along the way, fine."
Doing this won't actively reduce security, it just makes it seem like things are more secure than they are.
Something to keep in your pocket - pressuring you to do things and lying about being a security audit could qualify as "social engineering" and give you strong legal leverage against the auditor.
I am just trying to figure out the best method to avoid having unauthorized systems connected to our network. Furthermore, it seems like there are a LOT of options and so now I am in the boat of which the hell one do I pick? Sigh
Well, not quite. If you were only trying to figure the first part out, that's NAC and doesn't have anything to do with the question asked. If you are trying to meet the requirements of the audit, it has nothing to do with systems not connecting or security, but requires static.
Two completely different things. Your "I'm only trying" point is what I assumed your original goal was, but doesn't match the audit needs nor the asked topic.
No.. The goal here is to not have unauthorized devices able to connect to the network as an additional security measure. Their solution maybe comes out of ignorance or maybe it's just how they consider the simplest method to achieve that.
If I implement any other measure that accomplishes this, then they would be fine. I believe they just plug a laptop in and see if they get an address from DHCP or not.
-
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
This might be one instance where you say "Nope, this is a stupid requirement and does nothing for us, obviously this auditor is stupid and has no idea what they're talking about."
Problem is, it matches what his boss claims, I think he said.
It matches exactly what his boss claims.
So back to my "it's all about politics" problem. Can't point out security problems because of politics.
-
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
So to go against the auditor would be to expose his boss, too.
Which sounds like it needs to happen. Or bring in an outside consultant to say the same thing. This really needs to go over the heads of his direct supervisor to the shareholders or partners. This is just insane.
-
@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):
So to go against the auditor would be to expose his boss, too.
Exactly