Re: MAC address registrations

[Mark Poepping <poepping () CMU EDU>]

>         So, in the same vlan you have "invalid" and "valid" ip addresses?

This is actually okay if you manage them as two separate subnets (default
routes are different and all) and don't have any *really old* IP stacks
(more than 10-15 years or so)..

>         If so, how do you deny that a user sniff the network and
> asign itself a static IP address of the valid pool?

You watch for it..

---

We require pre-registration but allow a path for unregistered machines to
register (then they release/renew and can go)..

We also have a netreg system (homegrown) that has some different
characteristics...  It maintains a MySQL db that backends to the dhcp/ddns
servers.  It supports dynamic pools and static mapping (we currently only
use pools on wireless - roughly 4-1 utilization).  We also have a netmon
system that (among other things) harvests MAC information from snmp-enabled
devices (all) and can tell you about unregistered machines..  Software, docs
and contact foo available at:

        http://www.net.cmu.edu

There are a few other schools using this system (I forget how many)..

mark.



> -----Original Message-----
> From: The EDUCAUSE Security Discussion Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Arturo Lev Servin
> Sent: Monday, April 21, 2003 4:00 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] MAC address registrations
>
> Hi,
>
>         I have a couple of questions.
>
> > Kevin Shalla wrote:
> >
> > > What do others do regarding registering MAC addresses?  Do you have
> > > policies regarding who is allowed a routable IP address, or who is
> allowed
> > > a static IP address?
> >
> > Kevin,
> >
> > We have a DHCP based system that registers all computers as
> > they come online. It is not a security measure as much as
> > an administrative aid as it can be circumvented but we haven't
> > found anyone doing it yet. It has proved invaluable in helping
> > improve incident response, mobile computing, and address
> > management.
> >
> > There is a package called NetReg that many schools use to
> > perform this task for their residence networks. Take a look
> > at it. It should be easily found on Google. Our system is a
> > home grown package but I think it works approximately the same
> > way. Here is a summary of how it works:
> >
> > 1) Client issues DHCP request
> >
> > 2) If client's MAC address is not in the DHCP server table, the
> >    DHCP server furnishes an IP address that is restricted by
> >    router filters and given a DNS server that will resolve all
> >    DNS lookups to a registration web site.
>
>         So, in the same vlan you have "invalid" and "valid" ip addresses?
>
>         If so, how do you deny that a user sniff the network and
> asign itself a static IP address of the valid pool?
>
> Thanks in advance,
> -as
>
>
>
>
> --
> *****************************
>
> Arturo Lev Servin Niembro
> aservin () itesm mx
> +52 (81) 8358-1400 ext.4131
> Telecomunicaciones y Redes
> Vicerrectoria de Tecnologias de Informacion
> Tecnologico de Monterrey
>
> *****************************
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.