Date: Sun, 04 Apr 2004 15:12:06 -0400 From: Chuck Swiger <cswiger@mac.com> To: Adrian Penisoara <ady@freebsd.ady.ro> Cc: freebsd-isp@freebsd.org Subject: Re: Q: Controlling access at the Ethernet level Message-ID: <40705E06.3000401@mac.com> In-Reply-To: <0A87E4EB-8665-11D8-9004-000A95776E22@freebsd.ady.ro> References: <0A87E4EB-8665-11D8-9004-000A95776E22@freebsd.ady.ro>
next in thread | previous in thread | raw e-mail | index | archive | help
Adrian Penisoara wrote: > We are facing service theft through impersonation, either solely IP > or both IP and Ethernet MAC address. Securing IP access was solved using > a static ARP scheme (we used "staticarp" for the internal gateway > interface and tied to it a fixed list of IP/MAC tuples), but some of the > clients learnt how to change both the IP and the MAC. [ ... ] > What would you recommand ? Are there any other elegant solutions ? A pair of wirecutters is a cheap and elegant solution. People who violate your network security policy get disconnected until they learn to behave. :-) You've described the problem in some detail, but you haven't said much about your role or the role of the people playing games: are you and they employees of the same company, or are you offering network services to other companies? If it's the former, you need to have management involved: management needs to be willing to warn and (if need be) terminate people. If management isn't willing to back you up, don't bother wasting your time trying to solve this problem. If it's the latter, make each company responsible for the data coming from their network ports: bill them for whatever traffic goes by, and tell them to clean up their own messes if they don't like the costs associated with the problems their employees are causing. -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40705E06.3000401>