At 09:51 AM 10/30/02 +0100, Sanyarin wrote:
>You can do better than this if you use a switch that allows head-end
>restriction of what IP addresses (or MAC addresses; I'm a bit hazy on how
>this works) can connect to each port, [...]
I checked the manuals of the four VH-2402S switches we use and yes, I can
restrict the use of a certain port to one ore more specific MAC adresses.
Internet access isn't restricted to certain users (since the costs are
covered by generally raising the rent). The only use of authentication
would be a reliable link between an IP adress and a user.
Would it be possible to create a ruleset that checks for MAC *and* IP
adresses?
No. The term "ruleset" normally refers to ipchains or iptables rules, and
they operate at Layers 3 and 4 (IP addresses, ports, protocols), not Layer
2 (Ethernet, MAC addresses). Outside the firewalling code, you should be
able to write a small program that periodically checks the router's arp
cache and verifies that each IP address is associated with a valid (or a
particular; depends on how you assign IP addresses) MAC address, then
modifies the ipchains/iptables ruleset to allow only MAC-check-validated IP
addresses to use the router.
Combined with by-port restriction of MAC adresses this should do
the job. Perhaps a cron entry that checks by ARP if a specific IP is linked
to the right MAC adress would do in case the firewall ruleset can't? I
could create a script that allows users to remotely update their
MAC-Adresses, given that they have to (securely) login first, in order to
keep them happy / my mailbox empty. :)
Yes, this is the direction I was suggesting, both before and above. It is
similar in spirit (though not in implementation details) to the Horatio
package someone else suggested, as well as to a similar sort of project I
worked on (but left unfinished when the financial support dried up) about
15 months ago.
>And it [restricting MAC adresses] is far from perfect; you are
>still vulnerable to MAC-address spoofing.
This isn't quite clear to me - how? There's no point in changing my MAC
adress if my port is restricted to another one - or am I getting something
wrong?
No, you are right (or almost right, anyway). My original observation had to
do with the need to supplement router-level controls with switch-level
controls, which you say above that you can implement. The only remaining
(small) hole I see is the possibility that someone will get unauthorized
access to a port, and this is a limited hole (the main risk is if a user
employs a Wi-Fi bridge or router at the dorm-room end, but I can't think of
ANY way to protect from that vuonerability at the router/switch end).
>Every system on the LAN needs to be
>protected somehow from other LAN systems.
I agree, just like you wrote, that a 'head-end' solution for this would be
quite out of scale for a dormitory. Internal protection will be every one's
own affair, although I plan to provide some tips and tutorials (e.g. where
to find free firewalls and AV software or how to use them).
--
-------------------------------------------"Never tell me the odds!"--------
Ray Olszewski -- Han Solo
Palo Alto, California, USA [EMAIL PROTECTED]
-------------------------------------------------------------------------------
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
