Educause Security Discussion mailing list archives
Re: MAC address registrations
From: Mark Poepping <poepping () CMU EDU>
Date: Mon, 21 Apr 2003 16:43:08 -0400
So, in the same vlan you have "invalid" and "valid" ip addresses?
This is actually okay if you manage them as two separate subnets (default routes are different and all) and don't have any *really old* IP stacks (more than 10-15 years or so)..
If so, how do you deny that a user sniff the network and asign itself a static IP address of the valid pool?
You watch for it.. --- We require pre-registration but allow a path for unregistered machines to register (then they release/renew and can go).. We also have a netreg system (homegrown) that has some different characteristics... It maintains a MySQL db that backends to the dhcp/ddns servers. It supports dynamic pools and static mapping (we currently only use pools on wireless - roughly 4-1 utilization). We also have a netmon system that (among other things) harvests MAC information from snmp-enabled devices (all) and can tell you about unregistered machines.. Software, docs and contact foo available at: http://www.net.cmu.edu There are a few other schools using this system (I forget how many).. mark.
-----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Arturo Lev Servin Sent: Monday, April 21, 2003 4:00 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] MAC address registrations Hi, I have a couple of questions.Kevin Shalla wrote:What do others do regarding registering MAC addresses? Do you have policies regarding who is allowed a routable IP address, or who isalloweda static IP address?Kevin, We have a DHCP based system that registers all computers as they come online. It is not a security measure as much as an administrative aid as it can be circumvented but we haven't found anyone doing it yet. It has proved invaluable in helping improve incident response, mobile computing, and address management. There is a package called NetReg that many schools use to perform this task for their residence networks. Take a look at it. It should be easily found on Google. Our system is a home grown package but I think it works approximately the same way. Here is a summary of how it works: 1) Client issues DHCP request 2) If client's MAC address is not in the DHCP server table, the DHCP server furnishes an IP address that is restricted by router filters and given a DNS server that will resolve all DNS lookups to a registration web site.So, in the same vlan you have "invalid" and "valid" ip addresses? If so, how do you deny that a user sniff the network and asign itself a static IP address of the valid pool? Thanks in advance, -as -- ***************************** Arturo Lev Servin Niembro aservin () itesm mx +52 (81) 8358-1400 ext.4131 Telecomunicaciones y Redes Vicerrectoria de Tecnologias de Informacion Tecnologico de Monterrey ***************************** ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- MAC address registrations Kevin Shalla (Apr 21)
- <Possible follow-ups>
- Re: MAC address registrations Gary Flynn (Apr 21)
- Re: MAC address registrations Arturo Lev Servin (Apr 21)
- Re: MAC address registrations Mark Poepping (Apr 21)
- Re: MAC address registrations Gary Flynn (Apr 21)