From owner-freebsd-security@FreeBSD.ORG Tue Apr 6 06:33:03 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A7F4E16A4CE; Tue, 6 Apr 2004 06:33:03 -0700 (PDT) Received: from xsb.com (mail.portjeff.net [216.168.142.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id F222143D60; Tue, 6 Apr 2004 06:33:02 -0700 (PDT) (envelope-from c.rued@xsb.com) Received: from xsb.com [129.49.16.170] by xsb.com with ESMTP (SMTPD32-7.15) id A06E102A0098; Tue, 06 Apr 2004 09:28:14 -0400 Message-ID: <4072B148.20303@xsb.com> Date: Tue, 06 Apr 2004 09:31:52 -0400 From: Christopher Rued User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7a) Gecko/20040219 X-Accept-Language: en-us, en, fr MIME-Version: 1.0 To: Dan Ros References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: "'freebsd-isp@freebsd.org'" cc: "'freebsd-security@freebsd.org'" cc: 'Adrian Penisoara' Subject: Re: Controlling access at the Ethernet level X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2004 13:33:03 -0000 Dan Ros wrote: >> -----Original Message----- >> From: Adrian Penisoara [mailto:ady@freebsd.ady.ro] >> >> We are facing service theft through impersonation, either >> solely IP >> or both IP and Ethernet MAC address. Securing IP access was solved >> using a static ARP scheme (we used "staticarp" for the >> internal gateway >> interface and tied to it a fixed list of IP/MAC tuples), but some of >> the clients learnt how to change both the IP and the MAC. > ... > > This sounds like a university residential halls network, am I right? > > For what it's worth, the university I attend has tried both DHCP by mac > address, static arp and so on. Eventually now they have given up and the > cost of the network connection is simply included in the rent for the room. > That way they do not have to worry about unauthorised access. I just had a simple thought: can you just physically unplug the network cable for the particular room from your router? You can't steal service w/out link. Not as nice as a programmatic solution, but probably as effective; I guess you'd just have to make sure each cable is labeled. Of course, this wouldn't prevent people from giving access to the friends next door if they have their own router. And, I suppose, if someone *really* wanted to steal internet access, they could open the wall and access the incoming cable to the room next door, and install a router secretly. --Chris