Re: Blocking access to network via IP/MAC/dhcpd?

On 2007-11-26 00:33, Amadeus wrote:
> I could force a MAC address to use a specific IP in dhcpd, but again,
> they could just configure their IP manually.

Well, if you *could* be doing this, then you already *should* be doing
this. If you know which systems are supposed to be on your network, it's
only sensible to preallocate the IPs so that when a packet comes along
you know which system it's supposed to be from without having to dig
through the DHCP leases. The data is already there in the leases; just
transfer it to the config.

> Do you have any suggestions for this problem?

Associate fixed IPs with every box in the DHCP config as discussed
above, then assign a static arp entry for every legitimate IP, then
disable native arp.

If your users change MACs, then the firewall won't be able to talk to
them. The weakness is then that if a box is offline, they can borrow its
MAC and IP combination, if they know it.

The catch is I'm not sure whether you can disable native arp on NetBSD.
If not, you could use arpwatch to trigger a script to blackhole any new
MACs that show up.

Another suggestion: make users sign an acceptable use policy in exchange
for access, and report violators to management. Enforceable policy is
always an effective alternative where technical methods fail.

Or there's always IPsec.

Or what Darren said.

--
Jefferson Ogata <Jefferson.Ogata@noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt@noaa.gov>
"Never try to retrieve anything from a bear."--National Park Service