Controlling access at the Ethernet level
Christopher Rued
c.rued at xsb.com
Tue Apr 6 06:33:03 PDT 2004
Dan Ros wrote:
>> -----Original Message-----
>> From: Adrian Penisoara [mailto:ady at freebsd.ady.ro]
>>
>> We are facing service theft through impersonation, either
>> solely IP
>> or both IP and Ethernet MAC address. Securing IP access was solved
>> using a static ARP scheme (we used "staticarp" for the
>> internal gateway
>> interface and tied to it a fixed list of IP/MAC tuples), but some of
>> the clients learnt how to change both the IP and the MAC.
> ...
>
> This sounds like a university residential halls network, am I right?
>
> For what it's worth, the university I attend has tried both DHCP by mac
> address, static arp and so on. Eventually now they have given up and the
> cost of the network connection is simply included in the rent for the room.
> That way they do not have to worry about unauthorised access.
I just had a simple thought: can you just physically unplug the network
cable for the particular room from your router? You can't steal service
w/out link. Not as nice as a programmatic solution, but probably as
effective; I guess you'd just have to make sure each cable is labeled.
Of course, this wouldn't prevent people from giving access to the
friends next door if they have their own router. And, I suppose, if
someone *really* wanted to steal internet access, they could open the
wall and access the incoming cable to the room next door, and install a
router secretly.
--Chris
More information about the freebsd-isp
mailing list