DHCP or fixed IPs for servers ????

Craig White craigwhite at azapple.com
Tue Sep 20 05:45:51 UTC 2011 

On Tue, 2011-09-20 at 03:49 +0200, Stefan Held wrote:
> Am Montag, den 19.09.2011, 18:11 -0700 schrieb Craig White: 
> > I'm sitting here and laughing at the stupidity of this suggestion. 
> 
> Well, erm. Sure.
> 
> > Considering that one of the primary elements of security is IP
> > Addresses, you are leaving the determination of this security to the
> > whim of some moron who plugs in a wireless router or worse yet, someone
> > with intent to assume control over your network and made it as simple as
> > setting up a DHCP server - something you can easily do on a Windows
> > workstation.
> 
> In case you need it, i can provide you with a script that scans for dhcp
> servers which mac adresses are not known and deactivates the switch port
> on which the mac adress of this device is found. ....
> 
> Should i continue? Please don't tell me this is idiotic, i know what can
> happen and what to do if this happens.
> 
> You can setup on an Windows Workstation an DHCP Server? What Version
> would that be? ;) 
----
I probably should have just kept my mouth shut and would have except
that you are actually advancing your theories on network design on
others who are not knowledgeable.

If you feel that adding a layer of shell script parsing and then
manipulating a managed switch somehow secures a network schema that is
insecure at its foundation is a reasonable implementation then we
obviously disagree on the most basic level and any further discussion is
rather pointless.
----
> 
> > If you actually have enough servers that it becomes a chore to maintain
> > their network configuration because you are incapable of any reasonable
> > long term planning of private IP LAN space where there is hardly any
> > limitations, you should be using puppet or chef or cfengine or something
> > that is capable of doing configuration management for a wide range of
> > networked systems.
> > 
> 
> Sure, Company gets bought, you have to migrate your network into a wider
> range of other networks, cause of VPN Routings. You never have been into
> such a situation?
> 
> Now please tell me how to plan this?
----
I think what we are talking about takes 30 seconds with vi/emacs (edit
the network interface). Maybe you will do this once in the lifetime of a
server. If there are enough servers to suggest that this is beyond a
simple task, you should be using a comprehensive configuration
management system such as puppet. Your entire premise is absurd at its
core.

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the users mailing list