TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
You can change a key in the registry to force NT to backup the DHCP
database at a set interval. By doing this, it is relatively painless to
look back and see what workstation had what IP address on a certain date.
I have also seen in the past (I don't know if I would reccomend this)
administrators using DHCP to easily configure their clients but then going
into DHCP Manager and reserving each IP address for each machine. So
eventhough the IP was issues with DHCP. The IP will never change because
it is reserved for that particular workstation.
You could also mess with your lease settings and increase the interval to a
long enough period to facilitate auditing.
Mark Seiden <[EMAIL PROTECTED]> on 01/14/2000 10:36:35 AM
To: "Bridge, Jim" <[EMAIL PROTECTED]>
cc: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>,
"'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> (bcc: Steve
Manzuik/CanWest/IBM)
Subject: Re: DHCP and Internet Scanner
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
this is a general problem with any sort of ip-address-based logging.
if the tool looks up the inverse address in dns at the time of logging
(or while the lease is still in effect), and dns is dynamically
updated by the dhcp server to assign a hostname reflective of user
identity, you don't have a problem.
keep in mind that the ip address is the only thing you *know*.
while unlikely, it is possible that the hostname returned by an
in-addr lookup will change or be manipulated (due to an attack on
a name server) during the brief interval after an event is detected.
a related question is "why use dhcp?".
if you're using it for ease of client configuration (plug and play,
able to make changes at the server end), great.
if you have a random number of uncontrolled mobile machines that need
access on demand, you have a problem.
if you're using dns because you have an *actual* shortage of ip
addresses, and you want them dynamically and frequently reassigned,
you're basically screwed.
the usual recommendations i make in this general respect are:
- use long lease times.
- use a dhcp server that can update dns dynamically with some user
or machine identity information
- keep the dhcp assignment logs so if there's a problem you can
connect the assigned IP address with the nic address that requested.
- preassign leased addresses to specific nics if you can and are paranoid
enough to need to (which implies a tradeoff with plug and play).
as seems usual, many of these things are hard to do with microsoft
vanilla solutions, and easy to do with the open source supersets.
On Fri, Jan 14, 2000 at 09:52:20AM -0500, Bridge, Jim wrote:
>
> I'll try to rephrase my concerns....If DHCP "scrambles" IP addresses--and
> forgive my amateur status in this area--how can you remediate what IS
finds?
> The desktops have new IPs tomorrow. Do you need a MetaIP type solution in
> this case?
>
>
>
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Friday, January 14, 2000 9:10 AM
> To: [EMAIL PROTECTED]
> Subject: RE: DHCP and Internet Scanner
>
>
> Would you reword your concerns about Internet Scanner and DHCP. I
believe I
> may have similar concerns.
>
> Thanks,
> Arlan Goins
> Audit Manager
> Air Force Audit Agency
>
--
mark seiden, [EMAIL PROTECTED], 1-(650) 592 8559 (voice) Pacific Time Zone
