Firewalls: Re: DHCP and certain firewall configs

Firewalls
(March 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Re: DHCP and certain firewall configs
From:	johns @ oxygen . house . gov (John Schnizlein)
Date:	Tue, 1 Mar 1994 13:28:33 -0500
To:	firewalls @ GreatCircle . COM
Cc:	reh @ cs . UMD . EDU

reh @
 cs .
 UMD .
 EDU (Richard Huddleston) writes:
	"WINS (Windows Internet Naming Service) track IP addresses and the system
	names to which they are assigned.  WINS works with the [IETF]'s Dynamic
	Host Configuration Protocol, which uncouples IP addresses from physical
	                                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
	node addresses and reassigns them as nodes go off-line or users move to
	^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
	different systems."
	^^^^^^^^^^^^^^^^^ 
	
	Since this is news to me, I'm still reading the DHCP RFCs ( rfc13{4,5}1 )
	-- but, at first pass, it seems as though this can play havoc with certain
	weaknesses in IP if a hostile insider wants to mess around.  I can also
	imagine certain firewall configurations that might break if IP addresses
	become even more meaningless than they already are ( e.g., proxies and 
	wrappers ). 
Managing IP address spaces is a serious challenge. These tools attempt to make
it easier. If an insider wants to mess around, you either need oppressive
controls, or you are at risk. Most organizations deal with this by monitoring
(however thoroughly) and punishing those who misbehave. Most firewalls protect
against people over whom an organization does not have behavioral control.

IP addresses have only had limited meaning from day 1. I don't think this is
a change. I wish protocols like ARP were designed to make spoofing IP addresses
more difficult, for many more reasons than dynamic address assignments.
The tradeoff between convenience of moving and installing computers and
the control for security is very obvious here.

	Securing multi-protocol WANs built on dynamically-addressed protocols 
	( e.g., Vines; Appletalk ) is one of the most difficult security problems  
	I personally see.  The relative stability of IP addresses has been a factor
	in my occasional use of IP-encapsulation as a firewalling tool, even if
	the router directly supports the protocol in question.
I think you have only an illusion of greater safety by tunneling proprietary
protocols instead of managing them explicitly (at least you cna see their
routes in the router).

Indexed By Date	Previous:	Re: DHCP and certain firewall configs From: blu @ jericho . mc . com (Brian Utterback)
Indexed By Date	Next:	DHCP and certain firewall configs From: tdn @ tdn . xyplex . com (Thomas D. Nadeau)
Indexed By Thread	Previous:	Re: DHCP and certain firewall configs From: blu @ jericho . mc . com (Brian Utterback)
Indexed By Thread	Next:	Re: DHCP and certain firewall configs From: Ben Pratt<prattb @ phibro . com>