From owner-freebsd-isp@FreeBSD.ORG Sun Apr 4 12:12:20 2004 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AFE5516A4CE for ; Sun, 4 Apr 2004 12:12:20 -0700 (PDT) Received: from out011.verizon.net (out011pub.verizon.net [206.46.170.135]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D37C43D4C for ; Sun, 4 Apr 2004 12:12:20 -0700 (PDT) (envelope-from cswiger@mac.com) Received: from mac.com ([68.160.247.127]) by out011.verizon.net (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP id <20040404191219.TDGG18566.out011.verizon.net@mac.com>; Sun, 4 Apr 2004 14:12:19 -0500 Message-ID: <40705E06.3000401@mac.com> Date: Sun, 04 Apr 2004 15:12:06 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7b) Gecko/20040316 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Adrian Penisoara References: <0A87E4EB-8665-11D8-9004-000A95776E22@freebsd.ady.ro> In-Reply-To: <0A87E4EB-8665-11D8-9004-000A95776E22@freebsd.ady.ro> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authentication-Info: Submitted using SMTP AUTH at out011.verizon.net from [68.160.247.127] at Sun, 4 Apr 2004 14:12:19 -0500 cc: freebsd-isp@freebsd.org Subject: Re: Q: Controlling access at the Ethernet level X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Apr 2004 19:12:20 -0000 Adrian Penisoara wrote: > We are facing service theft through impersonation, either solely IP > or both IP and Ethernet MAC address. Securing IP access was solved using > a static ARP scheme (we used "staticarp" for the internal gateway > interface and tied to it a fixed list of IP/MAC tuples), but some of the > clients learnt how to change both the IP and the MAC. [ ... ] > What would you recommand ? Are there any other elegant solutions ? A pair of wirecutters is a cheap and elegant solution. People who violate your network security policy get disconnected until they learn to behave. :-) You've described the problem in some detail, but you haven't said much about your role or the role of the people playing games: are you and they employees of the same company, or are you offering network services to other companies? If it's the former, you need to have management involved: management needs to be willing to warn and (if need be) terminate people. If management isn't willing to back you up, don't bother wasting your time trying to solve this problem. If it's the latter, make each company responsible for the data coming from their network ports: bill them for whatever traffic goes by, and tell them to clean up their own messes if they don't like the costs associated with the problems their employees are causing. -- -Chuck