Another way would be to force the dhcp to give IP addresses matched to
a particular Ethernet 48-bit address. This is a section in my dhcpd.conf
host thinkpad {
hardware ethernet 00:52:04:93:ce:42;
fixed-address thinkpad.mycompany.com.ph;
}
Now the name thinkpad.mycompany.com.ph has an entry in my /etc/hosts file.
192.168.10.34 thinkpad.mycompany.com.ph
And my ip-chains ruleset allows 192.168.10.34 through the firewall
(sorry I don't have a proxy). The above setup works best if all PCs
use DHCP.
The problem is still that some user could just force their computer to
become 192.168.10.34 and access the internet. Some suggestions:
1. keep the valid-for-Internet-IP-addresses a secret. If you have time,
write a script that on a regular basis changes the hosts, dhcpd.conf
and ip-chains to give different IP numbers to valid Internet users.
2. get a HP Pro-Curve switch and replace your current switch.
Create Virtual LANs that segment those
computers not using the Internet and those that need to access the
Internet. You can even assign different IP address ranges to the
virtual LANs with no need to actually add new hubs or wiring. But
you may need to add additional NICs on your servers to service the
different virtual LANs (remember this is a switch it has routing
capability).
Ambo
On Fri, 13 Oct 2000, vince cagud wrote:
>
> that's always the problem with tcp/ip and dhcp. there is no authentication before
> getting access. i've the same problem here in our campus.
>
> for your dhcp problem, you can try manually mapping ip addresses to the mac
> addresses of the nics in that room which should be getting the ip adds from your
> dhcp server. only registered mac addresses will be given ip addresses. problem is,
> what prevents them from manually assigning ip addresses themselves? well, you can
> separate your internet servers on another subnet that you can firewall off and
> allow only the ip addresses that you assigned in the dhcp to access these servers.
> next problem, what prevents them from stealing those ip addresses that were allowed
> in the firewall? well, for one...they can only steal said ips if the workstation
> which was supposed to use it is turned off. otherwise, windows ip stack would
> complain of an ip conflict. here, one must find a way to tie dhcp leases with
> routing/firewalling. another way is to use proxy applications, which again, must be
> tied to dhcp leases.
>
> i had the idea once of the possiblity of tying logins to dhcp and routing for total
> network security and control. it's hard to accomplish given tcp/ip's architecture,
> but i think it could be done. i mean, login first before any network access. this
> is one thing i'm still thinking about in my free time though.
>
>
> vince.
>
>
> [EMAIL PROTECTED] wrote:
>
> > Hi guys!
> >
> > I've been running iptraf and arpwatch hand-in-hand to monitor network
> > traffic/loading within my network and at the same time to keep track of IP
> > addresses pairings passing within. And so far, after running it for a
> > couple of days, i have discovered some malicious connections.
> >
> > Several networks are connected within my LAN to have internet access. I
> > have one small room (their swith hub patched to one of my Switch
> > port) leasing dynamic IP Addresses from my LINUX box running as DHCP/Proxy
> > Server for the workstations in that LAN. (3 Static IP addresses were
> > assigned to their NT Servers)
> >
> > NOTE: all other in-building clients connected to several switches within
> > the building were assigned STATIC IP Addresses from my IP Address Pool to
> > get internet access.
> >
> > Here's the issue...
> >
> > 1. Computers from that single room that were being served/leased by my
> > Linux DHCP/Proxy Server with dynamic IP Addresses, are somehow, not
> > getting any lease from the server. from my messages log file, it says...
> >
> > "192.168.1.23 no free lease on subnet blah, blah, blah...."
> >
> > Question : How can i prevent these winblowz PCs from getting into my
> > system? it's very annoying since they were also recorded in my system's
> > ARP cache.
> >
> > 2. I have this whole chunk of /24 network. (111.222.333.0). And so far
> > after taking a deeper look in my IP Address Allocation Table, i have used
> > almost half of it (around 192 IP Addresses to be exact). Now, i discovered
> > that some winblowz workstations within the building are pulling-out some
> > unused/undesignated IP Addresses within my pool. They are manually
> > assigning IP addresses on their workstations.
> >
> > Question: How can i prevent this? How can i also deny connections from
> > these workstations? They are also using my proxy server to surf the net.
> >
> > Thank you so much in advance,
> >
> > Val
> >
> > _
> > Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
> > To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
>
>
> _
> Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
> To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
>
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
