On Tue, 2002-10-08 at 02:02, Linux Autrement wrote: > On Mon, 2002-10-07 at 23:38, David Johnston wrote: > > 1. Ideally, we could use IPSec to authenticate each *workstation* long > > before we ask for names or passwords. However, each workstation starts > > up without a key every time it starts (it either builds one, or gets it > > from a central server somehow). I think this means that we cannot use > > the IPSec keys to authenticate the workstation. How can we prove that > > the workstation isn't an outsider trying to get into our network? > > > > 2. How can we prevent man-in-the-middle attacks? Is it possible without > > workstation authentication? > > But surely we do have some form of workstation authentication, the DHCP > server can be configured to respond only to known MACs, and do nothing > for others.
Yes, refusing to give out IP addresses to unknown MAC addresses is a start. However, anyone capable of setting up LTSP could get around it if they cared to. Since MAC addresses are sent over the wire in the clear, they are public knowledge and aren't any good for authentication. This isn't a problem on a closed, wired network like a school or an office. If someone cheats, you will catch them and can expel or fire them. One a wireless network, however, it's a lot harder. A Pringles can will make a reasonably good directional antenna for 801.11b; put one above the ceiling tiles, and you can sit in a parking lot a half-mile away and fool everyone into thinking you're in the building. Five years ago, the problem was workers setting up PC Anywhere and an unauthorized modem on a LAN pc, so they could dial in from home. Today, it's the cleaning crew who's been bribed into plugging a wireless access point into your network and hiding it somewhere it won't get noticed for a few days. -David ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _____________________________________________________________________ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.openprojects.net
