Mailinglist Archive: opensuse-security (685 mails)
| < Previous | Next > |
RE: [suse-security] DHCP and windows clients
- From: "Reckhard, Tobias" <tobias.reckhard@xxxxxxxxxxx>
- Date: Tue, 19 Feb 2002 06:19:09 +0100
- Message-id: <96C102324EF9D411A49500306E06C8D1A56D66@xxxxxxxxxxxxxxxxx>
> on the MAC address of the ethernets. However, I could not find any way
> to determine that each users will get their assigned IP if they set up
> their IP statically for their W2K. To work this around I'm thinking to
> deploy identd on every client and periodically check against arping
> sweep to verifiy MAC addresses with users. Does anyone have a
> suggestion?
Of course dhcpd can't prevent machines from not asking him for addresses. As
for how to prevent use of addresses not issued by DHCP, that's not that
easy. You can't prevent their use unless you control the individual
workstations, which you do not, apparently. So what you really want to do is
make this feat useless. How to achieve this depends on what is interesting
and what is deterring to your users. If it's Internet access or connectivity
across a firewall, for example, you could allow an IP address through the
firewall only if the DHCP server has handed it out (With netfilter, though,
this would be easier accomplished by just matching the MAC addresses). Or
you could write a userland utility that (hopefully aggressively) claims all
IP addresses owned by the local DHCP server and releases them when they are
handed out. This would probably be a little difficult, since close
interaction with dhcpd is required. Or you could use snort or similar and
have it alert on unknown combinations of MAC and IP address and you could
take manual or automatic action.
Just some ideas. Not sure if any of them are recommendable, though.
Tobias
> to determine that each users will get their assigned IP if they set up
> their IP statically for their W2K. To work this around I'm thinking to
> deploy identd on every client and periodically check against arping
> sweep to verifiy MAC addresses with users. Does anyone have a
> suggestion?
Of course dhcpd can't prevent machines from not asking him for addresses. As
for how to prevent use of addresses not issued by DHCP, that's not that
easy. You can't prevent their use unless you control the individual
workstations, which you do not, apparently. So what you really want to do is
make this feat useless. How to achieve this depends on what is interesting
and what is deterring to your users. If it's Internet access or connectivity
across a firewall, for example, you could allow an IP address through the
firewall only if the DHCP server has handed it out (With netfilter, though,
this would be easier accomplished by just matching the MAC addresses). Or
you could write a userland utility that (hopefully aggressively) claims all
IP addresses owned by the local DHCP server and releases them when they are
handed out. This would probably be a little difficult, since close
interaction with dhcpd is required. Or you could use snort or similar and
have it alert on unknown combinations of MAC and IP address and you could
take manual or automatic action.
Just some ideas. Not sure if any of them are recommendable, though.
Tobias
| < Previous | Next > |