Page 525 - StudyBook.pdf
P. 525
Infrastructure Security: System Hardening • Chapter 8 509
allows administrators to set the node address, mask, and gateway information, and
to distribute the load for other network services by creation of appropriate scopes
(address pools).
Additional security concerns arise with DHCP.Among these, it is important to
control the creation of extra DHCP servers and their connections to the network.
A rogue DHCP server can deliver addresses to clients, defeating the settings and
control efforts for client connection. In most systems, administrators are required to
monitor network traffic consistently to track these possible additions and prevent a
breach of the system. Some OS and NOS manufacturers have implemented con-
trols in their access and authentication systems to require a higher level of authority
for authorizing DHCP server operation. In the case of Windows, a Windows
DHCP server that belongs to an Active Directory domain will not service client
requests if it has not been authorized to run in Active Directory. However, a stand-
alone Windows DHCP server can still function as a rogue. Someone could still also
introduce a rogue server running a different OS and NOS, or a stand-alone server
that does not belong to the domain.Administrators should also restrict access to
remote administration tools, to limit the number of individuals who can modify
the settings on the DHCP server.
Data Repositories
Data repositories include many types of storage systems that are interlinked in sys-
tems for maintenance and protection of data. It is important to discuss the need for
protection and hardening of the various types of storage that are maintained.This
includes different storage media combinations, methods of connection to the infor-
mation, consideration of the access implications and configurations, and mainte-
nance of the integrity of the data.When considering tightening and securing the
data repository area, file services such as those detailed earlier in the file and print
arena and also the Network Attached Storage (NAS) and Storage Area Network
(SAN) requirements must be considered.
NAS and SAN configurations may present special challenges to hardening. For
example, some NAS configurations used in a local area network (LAN) environ-
ment may have different file system access protections in place that will not inter-
operate with the host network’s OS and NOS. In this case, a server OS is not
responsible for the permissions assigned to the data access, which may make config-
uration of access or integration of the access rules more complex. SAN configura-
tion allows for intercommunication between the devices that are being used for the
SAN, and thus freedom from much of the normal network traffic in the LAN, pro-
www.syngress.com
