DHCP versus Static IP
The company I work for is planning on disabling the DHCP server and issue static IP addresses to all devices. We have over 100 computers and wireless access points for laptops. Has anyone ever heard of this approach to increase security?
Software/Hardware used:
Software/Hardware used:
ASKED:
October 17, 2009 4:18 PM
UPDATED:
October 26, 2009 7:56 PM
Answer Wiki:
People try this from time to time, but the management nightmare that this creates quickly gets people back to using DHCP. If you don't want your DHCP server issueing IPs to computers that it shouldn't setup a reservation for each computer. This way you can still use DHCP to manage everything, and when new computers are added to the network you simply adjust the scope, and setup a reservation.
To see all answers submitted to the Answer Wiki: View Answer History.
Yeah I agree with Mrdenny, DHCP is the best way to manage the IP address assignement, if you are using Static IP address then you have to document them so that no duplication occurs. As far as Management devices such as Servers, Switches , routers and access points are concerned static IPs are recommended.
I can’t think of much value this would add from a security perspective. If anything it’ll just create more work on the network administration side and end up increasing business risks.
Agreed with all responses to date.
If by “security”, management wants to know which IP is causing certain traffic (and by extension, which workstation), then reserved addresses in dhcp works well. Yes, it’s possible for the user to change their MAC to attempt to obtain a different IP, but if the user has that much access to their workstation, then I think the network is the wrong place to be looking to improve security…
Static addresses isn’t the best way to do it; there is too much administrative overhead and little added security. Look into Network Access Control (NAC), Switchport security on the switch, or MAC Access-lists on the switch.
Mrdenny,
1. A wireless device that gets within range of your wireless network equipment may be able to acquire an IP address from your router. this is for more security purpose.
2. For small networks like a home network, you can add some extra protection by turning off the DHCP, or automatic IP addressing, feature of the router and manually assigning static IP addresses.
At the end the above is for more security purpose.
If you have wireless networks, those network should be secured using a key through WPA or WEP key so that if random people walk up to your WiFi network with a laptop they can’t connect to the network, and therefor can’t get an IP address.
If a corporate environment you can deploy the keys and SSID to the computer via GPO so that all company laptops can connect to the wireless without having to give the users the key.
I so much agree with mrdenny, the basic fact remains that DHCP is the one and only way to create less work for the network admin and as well secure your network if you know the right things to do with your GPO on the server.
Static IP will only create more trouble. . . .STAY OFF IT if you can.. . . and i know you can. . .