From owner-freebsd-questions@FreeBSD.ORG Fri Mar 24 06:52:57 2006 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9973216A400 for ; Fri, 24 Mar 2006 06:52:57 +0000 (UTC) (envelope-from chad@shire.net) Received: from hobbiton.shire.net (hobbiton.shire.net [166.70.252.250]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5482D43D45 for ; Fri, 24 Mar 2006 06:52:57 +0000 (GMT) (envelope-from chad@shire.net) Received: from [67.171.127.191] (helo=[192.168.99.68]) by hobbiton.shire.net with esmtpa (Exim 4.51) id 1FMgAK-0007Db-MU; Thu, 23 Mar 2006 23:52:56 -0700 In-Reply-To: <20060324062540.78420.qmail@web51601.mail.yahoo.com> References: <20060324062540.78420.qmail@web51601.mail.yahoo.com> Mime-Version: 1.0 (Apple Message framework v746.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: "Chad Leigh -- Shire.Net LLC" Date: Thu, 23 Mar 2006 23:52:55 -0700 To: Mark Jayson Alvarez X-Mailer: Apple Mail (2.746.2) X-SA-Exim-Connect-IP: 67.171.127.191 X-SA-Exim-Mail-From: chad@shire.net X-SA-Exim-Scanned: No (on hobbiton.shire.net); SAEximRunCond expanded to false Cc: questions@freebsd.org Subject: Re: How do you keep users from stealing other user's ip?? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Mar 2006 06:52:57 -0000 On Mar 23, 2006, at 11:25 PM, Mark Jayson Alvarez wrote: > Good day, > > > We are trying to reorganize our local area network and I need > some tips on how you are managing your own lan... > > We have a vanilla pc router with interface facing our private lan > and interface facing the Internet. > > One problem which we are experiencing right now is that any user > from private lan can use any ip address he wants. If he boots his > computer with a stolen ip address, the poor owner of that machine > (not active at the moment) will give automatically up his ip > address to this user. The same scenario for public ip addresses. > Basically, we need to track down the users through their ip > address.. But this is trivial as of now since anyone can use any ip > he wants. Even if there is a solution out there to tie up his mac > address to his ip address..(sort of checking the mac first before > giving him an ip, possibly through dhcp..) still, users can just > download applications which will enable him to change his mac > address.... > > Now, where thinking about authenticating users before he is > allowed to use a particular network service(internet proxy, mail > etc.) because I guess it is a clever way of keeping the bad users > from doing something bad within your network when after all, the > reason why he is plugging his lancard to the network is to use a > particular service. However, it still doesn't keep them from > playing around and steal other ip addresses or mac addresses and > thus denying network access to those legitimate owners. I'm > thinking about tying dhcp with authentication, and freeradius comes > to mind.. I just need some more tips from you. User's workstations > are mixed Windows and *nixes. Some have laptops with wireless > interfaces. > > Any idea how to handle this situations?? Why do you have bad users? (I assume this is some sort of company?) Set a policy and punish those that screw around. Most companies I have seen do not give admin privileges to the users so the user cannot change his IP or MAC address and if you force them to use DHCP you can also tie the MAC to the IP. This is not a technical problem per se but an administrative policy problem. Chad --- Chad Leigh -- Shire.Net LLC Your Web App and Email hosting provider chad at shire.net