Q: Controlling access at the Ethernet level

[Chuck Swiger]

Adrian Penisoara wrote:
>    We are facing service theft through impersonation, either solely IP 
> or both IP and Ethernet MAC address. Securing IP access was solved using 
> a static ARP scheme (we used "staticarp" for the internal gateway 
> interface and tied to it a fixed list of IP/MAC tuples), but some of the 
> clients learnt how to change both the IP and the MAC.
[ ... ]
> What would you recommand ? Are there any other elegant solutions ?

A pair of wirecutters is a cheap and elegant solution.  People who violate 
your network security policy get disconnected until they learn to behave. :-)

You've described the problem in some detail, but you haven't said much about 
your role or the role of the people playing games: are you and they employees 
of the same company, or are you offering network services to other companies?

If it's the former, you need to have management involved: management needs to 
be willing to warn and (if need be) terminate people.  If management isn't 
willing to back you up, don't bother wasting your time trying to solve this 
problem.

If it's the latter, make each company responsible for the data coming from 
their network ports: bill them for whatever traffic goes by, and tell them to 
clean up their own messes if they don't like the costs associated with the 
problems their employees are causing.

-- 
-Chuck