On Wed, 2004-10-27 at 16:37 +1000, Matthew Palmer wrote: > Practically speaking, there is no way to stop them if they have physical > access to the network and/or administrative access to the machine, unless > you have an intelligent switch which is capable of being told "only let DHCP > traffic through by default", then getting the DHCP server to change the ACL > on the port for the requestor MAC address after successful DHCP lease > assignment.
Its relatively easy to hook up snort and your dhcp leases file, so that traffic to from an ip not in there triggers a warning. If your switch is at all managable, that could well shutdown the problem port, by querying for the source of the MAC. Rob -- GPG key available at: <http://www.robertcollins.net/keys.txt>.
signature.asc
Description: This is a digitally signed message part
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
