Re: Preventing DHCP from allocating IPs

[Gene <gyoo () attbi com>]

you need to use SPAN port... /gene

jon kintner wrote:
> I don't know if it's impossibe, but isn't sniffing traffic on a switched
> network more difficult?
>
> -jon
>
> ----- Original Message -----
> From: "Tony Meman" <none () superig com br>
> To: <security-basics () securityfocus com>
> Sent: Saturday, December 07, 2002 3:29 PM
> Subject: Re: Preventing DHCP from allocating IPs
>
>
>
> > Someone could just sniff the traffic, collect some valid MAC addresses
> > and use one of
> > them when some box is down. MAC spoofing is trivial.
> >
> > Regards,
> >
> > --
> > none
> >
> > Hasnain Atique wrote:
> >
> >
> > > My solution was somewhat more elaborate.
> > >
> > > I'd separated the network into sections, each connecting to a "backbone"
> of
>
> > > sorts. Each segment is physically separate with a Linux
> > > router/gateway/firewall linking the section to the backbone. Each Linux
> box
>
> > > knows which MAC addresses are valid within its segment and only allows
> that
>
> > > through to the backbone. DHCP within each segment allocates IP addresses
> to
>
> > > known MACs only.
> > >
> > > Net result is that, unknown MAC addresses firstly don't get a DHCP
> > > allocation, and secondly can't make it outside of the local segment. Even
> if
>
> > > a smart user were to pick and choose an unused IP and used the right
> gateway
>
> > > address, because of MAC filtering they will be limited to the local
> segment.
>
> > > The downside is that every single MAC address has to be known before
> putting
>
> > > this in place (it's easily done with arpwatch), and there will be
> multiple
>
> > > gateways to maintain. But depending on your level of paranoia you'll
> > > probably like it.
> > >
> > > Finally, I certainly wouldn't want to automate the process of learning
> MAC
>
> > > addresses and updating DHCP allocation accordingly. Defeats the entire
> > > purpose!!


--
Gene Yoo, gyoo () attbi com