From owner-freebsd-net@FreeBSD.ORG Fri Mar 24 09:39:33 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 00C7016A41F for ; Fri, 24 Mar 2006 09:39:33 +0000 (UTC) (envelope-from lists@wm-access.no) Received: from lakepoint.domeneshop.no (lakepoint.domeneshop.no [194.63.248.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 247DD43D49 for ; Fri, 24 Mar 2006 09:39:31 +0000 (GMT) (envelope-from lists@wm-access.no) Received: from [192.168.9.8] (gw1.arcticwireless.no [80.203.184.14]) (authenticated bits=0) by lakepoint.domeneshop.no (8.13.4/8.13.4) with ESMTP id k2O9dU04025215 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 24 Mar 2006 10:39:30 +0100 Message-ID: <4423BE70.2010807@wm-access.no> Date: Fri, 24 Mar 2006 10:40:00 +0100 From: =?ISO-8859-1?Q?Sten_Daniel_S=F8rsdal?= User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: Mark Jayson Alvarez References: <20060324060140.86793.qmail@web51615.mail.yahoo.com> In-Reply-To: <20060324060140.86793.qmail@web51615.mail.yahoo.com> X-Enigmail-Version: 0.94.0.0 OpenPGP: id=D6F56A9B Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig9E6FCDB69FE34BE84195AD98" Cc: freebsd-net@freebsd.org Subject: Re: How do you keep users from stealing other user's ip?? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Mar 2006 09:39:33 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig9E6FCDB69FE34BE84195AD98 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Mark Jayson Alvarez wrote: > Good day, > =20 > =20 > We are trying to reorganize our local area network and I need some tip= s on how you are managing your own lan... > =20 > We have a vanilla pc router with interface facing our private lan and = interface facing the Internet. > =20 > One problem which we are experiencing right now is that any user from = private lan can use any ip address he wants. If he boots his computer wit= h a stolen ip address, the poor owner of that machine(not active at the m= oment) will give automatically up his ip address to this user. The same s= cenario for public ip addresses. Basically, we need to track down the use= rs through their ip address.. But this is trivial as of now since anyone = can use any ip he wants. Even if there is a solution out there to tie up = his mac address to his ip address..(sort of checking the mac first before= giving him an ip, possibly through dhcp..) still, users can just downloa= d applications which will enable him to change his mac address.... > =20 > Now, where thinking about authenticating users before he is allowed to= use a particular network service(internet proxy, mail etc.) because I gu= ess it is a clever way of keeping the bad users from doing something bad = within your network when after all, the reason why he is plugging his lan= card to the network is to use a particular service. However, it still do= esn't keep them from playing around and still other ip addresses or mac a= ddresses and thus denying network access to those legitimate owners. > =20 > Any idea how to handle this situations?? > Thanks... If it's a service provider scenario i would employ vlans. One vlan to=20 each customer. Providing network or Internet service costs more than=20 your typical small company network. Each customer should get his/her own = dedicated "line" so to speak. I would most likely employ /30 networks (or larger) to each customer as=20 this would be the most solid way to do it. This goes for public IP=20 addresses as well. You could bridge the vlans but this will give you=20 grief and if not done right will leave you back at square one. Some would say PPPoE, which is a fine solution. It comes with it's own=20 set of challenges. Many idiotic hobby "admins" out there block icmp all=20 together. Some even drop fragments. But Managed vlan switches are becoming quite affordable these days. Not only = would they help you track down a "sinner" within minutes (instead of=20 hours, if not days). They often come with more than adequate snmp=20 support so you can do real monitoring (even the low end ones). --=20 Sten Daniel S=F8rsdal --------------enig9E6FCDB69FE34BE84195AD98 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEI75wMvOF8Nb1apsRAr4eAJ9xU+CZ80yZ4XhWliThVYsnPcgLlgCeJtHT SicLDz8Odls0yDggmBi+RYI= =QMvZ -----END PGP SIGNATURE----- --------------enig9E6FCDB69FE34BE84195AD98--