Firewall Wizards mailing list archives
RE: Re: dhcp altering firewall rules
From: "Goldberg, Dan B" <Dan.B.Goldberg () usa xerox com>
Date: Mon, 07 May 2001 10:32:44 -0400
Hello, I finally feel inclined to post to this list after nearly a year of lurking! The original question as I read it was to create a restrictive set of firewall rules that deny communications through the firewall based on source address. As a computer requests an address from the DHCP server the firewall rules are changed to allow that address to go through for a specific period of time. If the goal is simply to enforce the use of DHCP addresses the suggested models should work. I bet the cable companies have (or ought to implement) this type of system. They control the wire and have a financial requirement to restrict users from using more addresses than they are paying for. If the goal is to perform monitoring, or auditing of usage through the firewall, or restrict access by user or other criteria. I would suggest there is a major security flaw in this (dhcp) model. The DHCP servers I have used perform no authentication of the client. They hand addresses to anyone who ask for one. Thus restricting rules on the firewall really gains nothing as anyone connecting to the network gets an address and the firewall opens up to let them through. This leaves a convoluted audit trail based on the MAC address if all requests are logged. I would propose instead a different model based on authentication and authorization of the individual user. There are a number of ways to accomplish this. Using proxies or other firewall products that require the user to present credentials (e.g. username password or public key) that specifically identify the user. This leaves a detailed audit trail and provides more granular control. I have used Squid http://www.squid-cache.org (Web cache - Proxy with SAMBA for this.) It is a function of several commercial firewall products. Dan Goldberg
-- Original Message -- one 'hack' of a solution (not compromise hack, just .. a hack) use atchange[1] to monitor the dhcp leases file. when it changes, call a script that will rebuild the ipf.rules file (ie fill in the blank for $IPADDR) and reload the firewall rules. another solution is to treat your host as a member of a network, the DHCP network your provider uses. chances are you wont have problems with traffic intended for your neighbors, i think. resources: 1. http://www.lecb.ncifcrf.gov/~toms/atchange.html
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Re: dhcp altering firewall rules Stephan (May 07)
- <Possible follow-ups>
- RE: Re: dhcp altering firewall rules Goldberg, Dan B (May 07)
- RE: Re: dhcp altering firewall rules Crispin Harris (May 08)
- Re: dhcp altering firewall rules George Capehart (May 10)
- Re: dhcp altering firewall rules Stephan (May 10)