The correct answer is that DHCP (and bootp) and in fact any "simple" protocol that uses broadcasts to discover resources/services that it will rely on need to run on a secure network infrastructure. This means physical access as well as having control of the devices that use the network. (As an example, Bugtraq this week has a discussion around the fact that Altiris clients (software deployment ala Ghost) by default trust a response to a multicast to find a software load server. Hence a spoofing server can easily "own" the client machines)
There are usually software means to detect illicit use of IP addresses, etc as stated by others. These are probably good to use in most environment where your threat is dumb/smart users mis/malconfiguring their machines. Also you should separate critical network resources on a separate by an IP routing switch from your clients. This way clients cannot steal say the server IP address even if they try. If DHCP clients are on their own subnet/VLAN then they can only tread on each other's toes. If you really concerned about access to the network at Layer2/3 (before operating system authentication/encryption comes into play etc) then you need to look at things like IEEE 802.1x. (Yes, x is the working group not a placeholder). This enables a smart LAN switch to authenticate the client before it is allowed access to real network resources. (It also allows the client to authenticate the network to assure that it is in fact connecting to the network it expects to be before it starts using it - very important in wireless environments) Regards, Martin Martin Visser ,CISSP Network and Security Consultant Consulting & Integration Technology Solutions Group - HP Services 3 Richardson Place North Ryde, Sydney NSW 2113, Australia Phone: +61-2-9022-1670 Mobile: +61-411-254-513 Fax: +61-2-9022-1800 E-mail: martin.visserAThp.com > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Howard Lowndes > Sent: Thursday, 28 October 2004 10:33 AM > To: Ken Foskey > Cc: slug > Subject: Re: [SLUG] Lusers grabbing IP addresses - stopping them > > On Wed, 2004-10-27 at 23:30, Ken Foskey wrote: > > On Wed, 2004-10-27 at 16:29 +1000, Howard Lowndes wrote: > > > If you are running a DHCP server on a network and have a > block of IP > > > addresses which you make available, how can you stop a > (reasonably) > > > knowledgeable luser from explicitly grabbing an address from that > > > block by explicitly configuring their box with that address, thus > > > preventing that IP address from being recorded in the leases, and > > > hence you not immediately knowing that that box has been > attached to the network. > > > > arpwatch ? > > > > I was under the impression that dhcp will query an IP > before using it. > > I assume that it does a warning when this happens. > > It does, but if the one that has been grabbed is not the one > that dhcp is allocating then it could be some time before it > gets noticed, especially on a reasonably static network. > > I think a mix of snort, arpwatch and some awk'g on the dhcp > leases file might be the best move. > > -- > Howard. > LANNet Computing Associates; > Your Linux people <http://www.lannetlinux.com> > ------------------------------------------ > "When you just want a system that works, you choose Linux; > when you want a system that just works, you choose Microsoft." > ------------------------------------------ > "Flatter government, not fatter government; Get rid of the > Australian states." > > > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
