Date: Fri, 24 Mar 2006 09:30:48 +0300 From: Eygene Ryabinkin <rea-fbsd@rea.mbslab.kiae.ru> To: Mark Jayson Alvarez <jay2xra@yahoo.com> Cc: freebsd-net@freebsd.org Subject: Re: How do you keep users from stealing other user's ip?? Message-ID: <20060324063048.GA10114@rea.mbslab.kiae.ru> In-Reply-To: <20060324060140.86793.qmail@web51615.mail.yahoo.com> References: <20060324060140.86793.qmail@web51615.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> One problem which we are experiencing right now is that any user from private lan can use any ip address he wants. If he boots his computer with a stolen ip address, the poor owner of that machine(not active at the moment) will give automatically up his ip address to this user. The same scenario for public ip addresses. Basically, we need to track down the users through their ip address.. But this is trivial as of now since anyone can use any ip he wants. Even if there is a solution out there to tie up his mac address to his ip address..(sort of checking the mac first before giving him an ip, possibly through dhcp..) still, users can just download applications which will enable him to change his mac address.... The trivial solution will be to install arpwatch and statically bind user's MAC to their IP's via /etc/ethers (man 5 ethers). It will not prevent smart users to stole IP's, because it is trivial to change host MAC, but it will provide a mild protection. > > Now, where thinking about authenticating users before he is allowed to use a particular network service(internet proxy, mail etc.) because I guess it is a clever way of keeping the bad users from doing something bad within your network when after all, the reason why he is plugging his lancard to the network is to use a particular service. However, it still doesn't keep them from playing around and still other ip addresses or mac addresses and thus denying network access to those legitimate owners. Together with the arpwatch and statical MAC-IP binding authentification will provide somewhat stronger protection. You can try to isolate users from each other with the VPN channels that will require the knowledge of the auth token and not only IP-MAC pair that is visible over the network. This solution looks a bit heavy for me, but maybe it will be good for you. -- Eygene
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060324063048.GA10114>