How do you keep users from stealing other user's ip??
Jon Otterholm
jon.otterholm at ide.resurscentrum.se
Fri Mar 24 10:37:14 UTC 2006
Sten Daniel Sørsdal wrote:
> Mark Jayson Alvarez wrote:
>> Good day,
>>
>>
>> We are trying to reorganize our local area network and I need some
>> tips on how you are managing your own lan...
>>
>> We have a vanilla pc router with interface facing our private lan
>> and interface facing the Internet.
>>
>> One problem which we are experiencing right now is that any user
>> from private lan can use any ip address he wants. If he boots his
>> computer with a stolen ip address, the poor owner of that machine(not
>> active at the moment) will give automatically up his ip address to
>> this user. The same scenario for public ip addresses. Basically, we
>> need to track down the users through their ip address.. But this is
>> trivial as of now since anyone can use any ip he wants. Even if there
>> is a solution out there to tie up his mac address to his ip
>> address..(sort of checking the mac first before giving him an ip,
>> possibly through dhcp..) still, users can just download applications
>> which will enable him to change his mac address....
>>
>> Now, where thinking about authenticating users before he is allowed
>> to use a particular network service(internet proxy, mail etc.)
>> because I guess it is a clever way of keeping the bad users from
>> doing something bad within your network when after all, the reason
>> why he is plugging his lancard to the network is to use a particular
>> service. However, it still doesn't keep them from playing around and
>> still other ip addresses or mac addresses and thus denying network
>> access to those legitimate owners.
>>
>> Any idea how to handle this situations??
>> Thanks...
>
> If it's a service provider scenario i would employ vlans. One vlan to
> each customer. Providing network or Internet service costs more than
> your typical small company network. Each customer should get his/her
> own dedicated "line" so to speak.
>
> I would most likely employ /30 networks (or larger) to each customer
> as this would be the most solid way to do it. This goes for public IP
> addresses as well. You could bridge the vlans but this will give you
> grief and if not done right will leave you back at square one.
>
> Some would say PPPoE, which is a fine solution. It comes with it's own
> set of challenges. Many idiotic hobby "admins" out there block icmp
> all together. Some even drop fragments. But
>
> Managed vlan switches are becoming quite affordable these days. Not
> only would they help you track down a "sinner" within minutes (instead
> of hours, if not days). They often come with more than adequate snmp
> support so you can do real monitoring (even the low end ones).
>
To prevent users from MAC-spoofing - buy a switch with some kind of
"port-security". If you could lock down a port to just one MAC and have
a static ARP on the router it would be pretty hard to spoof the
MAC-address. With another MAC than the one associated with the port you
simply will not be able to talk to anyone.
To take security one step further you could use some kind of RADIUS
authentication (MAC/user/computer/??).
Dlink 3526/3550 have these functions. In addition you could lock down
the switch so that "user-ports" only could talk to the uplink port and
never with each other.
And NO - I am not a Dlink employee, just a big fan.
/Jon
More information about the freebsd-net
mailing list