Date: Tue, 20 Apr 1999 14:28:38 -0600 From: Wes Peters <wes@softweyr.com> To: David Gilbert <dgilbert@velocet.ca> Cc: cjclark@home.com, Harry_M_Leitzell@cmu.edu, fred@fredbox.com, security@FreeBSD.ORG Subject: Re: DHCP (was Re: poink attack (was Re: ARP problem in Windows9X/NT)) Message-ID: <371CE376.FDED01D5@softweyr.com> References: <14108.38235.254919.924353@trooper.velocet.ca> <199904201515.LAA09694@cc942873-a.ewndsr1.nj.home.com> <14108.40776.605720.29036@trooper.velocet.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
David Gilbert wrote:
>
> >>>>> "Crist" == Crist J Clark <cjc@cc942873-a.ewndsr1.nj.home.com> writes:
>
> Crist> OK, I'll bite.
>
> Crist> What happens when someone who is not supposed to connects to a
> Crist> DHCP served network? (Besides that they are connected to the
> Crist> network and are not supposed to be.) -- Crist J. Clark
> Crist> cjclark@home.com
>
> It just lowers the bar. To attach oneself usefully to a foreign IP
> network requires some experimentation and/or packet sniffing. On a
> DHCP network, it's just plug and pray. I suppose it's the difference
> between running Linux which every script kiddie plays with vs. running
> FreeBSD (little harder) or HpUX (reasonably obscure).
>
> I'm certainly not one to believe in security by obscurity --- not at
> least against a knowledgeable attacker. However, there is a
> coorelation between the number of breakins on hosts we (Velocet)
> monitor and that hosts representative population.
>
> DG/UX is likely holey as swiss cheeze, but rootshell doesn't have a
> 'sploit for it.
>
> Back to the origional issue: Joe _average_ salesman is sitting in the
> boardroom... which has a network jack. He's left alone for 30 minutes
> for one reason or another. He plugs in. Without _any_ knowledge,
> he's up and running. Of course, if Joe were a hacker worth his salt,
> this wouldn't be a barrier --- but the likelyhood of Joe being a
> hacker is small.
>
> I think there's a definate range of security issues --- and I think
> it's rediculus for most companies to take the standard 'stance' that
> they must protect themselves against all perils
As Rob Clyde used to point out, of the security measure put in place
cost more than the potential loss, you've absolutely lost money. All
"reasonable" security is to implement the most effective, least
expensive security measures and then keep going until your systems
(and networks) are "secure enough."
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
http://www.softweyr.com/~softweyr wes@softweyr.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?371CE376.FDED01D5>