How do you keep users from stealing other user's ip??
Mark Jayson Alvarez
jay2xra at yahoo.com
Fri Mar 24 08:07:58 UTC 2006
Hi,
Ok here's our problems. Mostly pertaining to tracking down who is this user eating up our bandwidth or who is this user flooding our network.
1. Users when they want to plug a machine to the network... let's say their own testbeds, they will choose whatever ip they want possibly stealing used ip's.
2. Users workstations are mixed Windows and *nixes. Most windows machines are getting infected with worm from time to time... Some of them are not so skillful enough to clean their own workstations. Given an unmanaged ip allocation, it would also be hard to trace which machines are causing the network congestion.
3. Some users with public workstations and testbeds are eating up bandwidth through file sharing...Still hard to trace this without proper ip allocation management.
Erik Nørgaard <norgaard at locolomo.org> wrote:
I once set up such a solution in a student house with about 120 users.
People had their own private pcs so we couldn't just take away their
admin rights on their own pc.
Now, question to ask:
- Are all users legitimate users? Do users have friends coming in and
connect to the network? is it wired or do you have neighbors trying to
use the net also?
- What is the benefit of stealing another users ip? Do you have
limitations on access such as download? Is it to hide behind another user?
In our case we had a wired network, so all users was legitimate users,
but we had a limitation on download so some users would try to use their
neighbors ip to get more quota.
What we did was:
1) Static ip assigned with dhcp - people wouldn't need to learn to
configure their computer.
2) Static arp table on router, to spoof, one would have to spoof
mac-address.
3) Require registration of all hosts owned by the user: To hold users
accountable for their hosts.
4) Count traffic per host, up and download, this was done with ipfilter.
5) Make current usage visible, the users could always check their quota
and knew when they hit the limit. That way they didn't get surprises and
annoyed.
This actually worked fine. It was sufficiently complicated to spoof that
people wouldn't bother.
A different and possibly better way around this would be to limit
bandwidth for ports higher than 1023, this is where most file sharing
takes place. You can do that with packet filter, I still haven't figured
how to effectively implement traffic quotas on packet filter as
accounting is not so easy.
If your concerns are people trying to hide behind others identity, or
unauthorized access such as if you have a wireless lan, then there are
two good options:
1) Use authpf with packet filter. This requires the user to authenticate
with the firewall to get access. No proxy needed.
2) Let each client establish a VPN to the router, this have the
advantage of also encrypting traffic if you have a wireless or
non-switched network.
Cheers, Erik
--
Ph: +34.666334818 web: www.locolomo.org
S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt
Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72
Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9
---------------------------------
New Yahoo! Messenger with Voice. Call regular phones from your PC and save big.
More information about the freebsd-questions
mailing list