Security Basics mailing list archives
Re: Preventing DHCP from allocating IPs
From: "Hasnain Atique" <hatique () hasnains com>
Date: Sat, 7 Dec 2002 02:30:23 +0800
My solution was somewhat more elaborate. I'd separated the network into sections, each connecting to a "backbone" of sorts. Each segment is physically separate with a Linux router/gateway/firewall linking the section to the backbone. Each Linux box knows which MAC addresses are valid within its segment and only allows that through to the backbone. DHCP within each segment allocates IP addresses to known MACs only. Net result is that, unknown MAC addresses firstly don't get a DHCP allocation, and secondly can't make it outside of the local segment. Even if a smart user were to pick and choose an unused IP and used the right gateway address, because of MAC filtering they will be limited to the local segment. The downside is that every single MAC address has to be known before putting this in place (it's easily done with arpwatch), and there will be multiple gateways to maintain. But depending on your level of paranoia you'll probably like it. Finally, I certainly wouldn't want to automate the process of learning MAC addresses and updating DHCP allocation accordingly. Defeats the entire purpose!! ----- Original Message ----- From: "Sarbjit Singh Gill" <ssgill () gilltechnologies com> To: "Hasnain Atique" <hatique () hasnains com>; "Rick Darsey" <rdarsey () aims1 com>; "jon kintner" <jon.kintner () lvcm com>; <security-basics () securityfocus com> Sent: Friday, December 06, 2002 4:24 PM Subject: RE: Preventing DHCP from allocating IPs
In my scenarios, the problem is some people who walk into this company are visitors who come in with different lap tops each time they walk in. Sometimes they are genuine visitors who has the right to use the LAN and sometimes these people are visitors who we do not trust or are first time visitors. Also the whole idea was to automate the process. Can the ICS dhcpd and
dhcp
log, process be automated. I guess the matching of the MAC to the user
will
have to very manual. And as i mentioned above, what happens if the dude shows up again a few days later with another laptop. and of course the smart people to worry about. Cheers Gill -----Original Message----- From: Hasnain Atique [mailto:hatique () hasnains com] Sent: Friday, December 06, 2002 10:26 AM To: ssgill () gilltechnologies com; Rick Darsey; jon kintner; security-basics () securityfocus com Subject: Re: Preventing DHCP from allocating IPs What about configuring DHCP to assign IP addresses to known MAC addresses only? I know ISC dhcpd does this and have used it for a couple of clients. It was fairly easy to build a dhcpd.conf from the dhcp log file .. so no real headche with collecting MAC addresses for the initial configuration. But you may still want to match each MAC address to its owner before
putting
it in the config file. This still allows the smarter people to pick and choose an unused IP to bypass the DHCP mechanism altogether. There's a cycle-intensive solution: use iptables with MAC-matching for all known MACs. -- Hasnain ----- Original Message ----- From: "Sarbjit Singh Gill" <ssgill () gilltechnologies com> To: "Rick Darsey" <rdarsey () aims1 com>; "jon kintner"
<jon.kintner () lvcm com>;
<security-basics () securityfocus com> Sent: Thursday, December 05, 2002 7:14 AM Subject: RE: Preventing DHCP from allocating IPsThat was one of my options but seems like the Administrators did want tobebothered every time somebody needed an IP. Gill -----Original Message----- From: Rick Darsey [mailto:rdarsey () aims1 com] Sent: Wednesday, December 04, 2002 4:05 AM To: jon kintner; ssgill () gilltechnologies com; security-basics () securityfocus com Subject: RE: Preventing DHCP from allocating IPs I know this sounds like a really bad way of doing this, but it is the
only
way I can come up with off the top of my head: Turn of DHCP!! Statically assign all addresses in your LAN. If a visitor wants access to your network, they will have to come to you to obtain
the
address, or better yet, create a small DHCP pool that visitors can use,butlimit the size to prevent users you do not want from accessing thenetwork.The initial setup of the static addresses will take time, but the smallDHCPpool will still allow visitors to plug in when needed. Rick -----Original Message----- From: jon kintner [mailto:jon.kintner () lvcm com] Sent: Monday, December 02, 2002 1:04 PM To: ssgill () gilltechnologies com; security-basics () securityfocus com Subject: Re: Preventing DHCP from allocating IPs I know mac addresses can be spoofed pretty easily, but could you setup
an
access list or filter that would disallow all mac addresses except for
the
ones specified on your network(s)? The initial setup would probably be tedious, but it's worked fairly welltokeep most unauthorized logins off the network at the college I attend. -jon kintner ----- Original Message ----- From: "Sarbjit Singh Gill" <ssgill () gilltechnologies com> To: <security-basics () securityfocus com> Sent: Monday, December 02, 2002 7:22 AM Subject: Preventing DHCP from allocating IPsGreetings all, How do i prevent a client from getting an IP from my DHCP in an
Ethernet
network. I know i could reserve IPs for all other clients and nobodygetsanIP unless reserved earlier, but i have hundreds of clients. I
frequently
have visitors who need to plug in their laptops into the network and ihavevisitors who are not allowed to plug in their laptops into the networkandget IPs. I do not want these visitors who are not allowed to access
the
network to get an IP and start accessing internet through my network. What about in a wireless environment. How do i prevent it in a similar capacity. Kind Regards Gill
Current thread:
- RE: Preventing DHCP from allocating IPs, (continued)
- RE: Preventing DHCP from allocating IPs Jimmy Sansi (Dec 03)
- RE: Preventing DHCP from allocating IPs Sarbjit Singh Gill (Dec 05)
- Re: Preventing DHCP from allocating IPs jon kintner (Dec 03)
- Re: Preventing DHCP from allocating IPs Pauling (Dec 04)
- Re: Preventing DHCP from allocating IPs Tony Meman (Dec 06)
- RE: Preventing DHCP from allocating IPs Rick Darsey (Dec 04)
- Re: Preventing DHCP from allocating IPs jon kintner (Dec 04)
- RE: Preventing DHCP from allocating IPs Sarbjit Singh Gill (Dec 05)
- Re: Preventing DHCP from allocating IPs Hasnain Atique (Dec 06)
- RE: Preventing DHCP from allocating IPs Sarbjit Singh Gill (Dec 06)
- Re: Preventing DHCP from allocating IPs Hasnain Atique (Dec 06)
- Re: Preventing DHCP from allocating IPs Tony Meman (Dec 09)
- Re: Preventing DHCP from allocating IPs jon kintner (Dec 09)
- Re: Preventing DHCP from allocating IPs Gene (Dec 11)
- Re: Preventing DHCP from allocating IPs Tony Meman (Dec 12)
- Re: Preventing DHCP from allocating IPs Pauling (Dec 04)
- RE: Preventing DHCP from allocating IPs Jimmy Sansi (Dec 03)