Reply

Security Breach

Techie
Posts: 8
3935     3

Hello - I have posed a question on this forum to better understand the filtering of subnets that appear within the DHCP tab, as well as the IPAM tab, and visa versa.....  I am being told that while creating subnets within the IPAM for a dedicated set of administrators, ([Server Administrators] for administration, tracking, and assigning of "fixed IP addresses" for the Data Center), that since they appear in the DHCP tab, that this is a breach of security. 

  These subnets DO NOT have a memebr of the Infoblox servers that are assigning IP addresses, nor is there a relay statement within the dedicated Vlan in which they exist, or under the Ethernet port of a router, if the server subnet happens to be remote.  I am trying to understand why I am being told this is a breach of security, as well as have it verified through this forum, that this does in fact deal with Security.....  Thank You - Mark

Re: Security Breach

Adviser
Posts: 138
3935     3

@everlyms wrote:

... I am being told that while creating subnets within the IPAM for a dedicated set of administrators, ([Server Administrators] for administration, tracking, and assigning of "fixed IP addresses" for the Data Center), that since they appear in the DHCP tab, that this is a breach of security. 

Are these actual "fixed addresses" in the Infoblox meaning of the term? In Infoblox jargon a "fixed address" (sometimes referred to as a "DHCP fixed address") is an IP address that is permanently assigned via DHCP to a particular system (that is, the system is not getting a dynamic DHCP address from a DHCP scope/range). For example, you might specify that the system with MAC address 00:11:22:33:44:55 should always be assigned (using DHCP) the IP address 192.168.1.23. (This is essentially the same as what in Microsoft terms is known as a "reservation".)

 

If you really are doing this type of fixed addresses on the subnets in question, then DHCP is definitely involved: You have to have the subnet assigned to a DHCP server, and the router for the subnet has to have a DHCP relay address configured. You just wouldn't have to have a DHCP scope/range configured (since DHCP fixed addresses can exist outside a scope/range).

 

On the other hand, if your "fixed addresses" on those subnets are static IP addresses defined on the systems themselves (i.e., not assigned via DHCP) then there's no need to provide DHCP services on those subnets. The subnets will still show up in the DHCP tab as well as the IPAM tab (I believe that happens for all networks) but you wouldn't need to assign any DHCP servers to the subnets, and wouldn't need to configure DHCP relay addresses.

 

Note that you can check whether a given network is enabled for DHCP by going to the "DHCP" tab, then the "Networks" -> "Networks" subtab, selecting the network, editing it, and looking at the "Member Assignment" tab. If there are no grid members assigned to the network then the Infoblox DHCP servers will not respond to DHCP requests originating from that subnet.

Re: Security Breach

Techie
Posts: 8
3936     3

FHecker - Thank you - that is what I thought - as I have not assigned an Infoblox member to assign DHCP addressing. I understand that this is like an over glorified spreadsheet, but atleast all the sunets are contained in the same interface, and it makes it easier for the Server Admins to assign unused addresses from this interface, as they can ping an unused address from the Infoblox interface gui..... - Mark

Showing results for 
Search instead for 
Did you mean: 

Recommended for You