Hi, I wonder if any of you has faced such a problem. We have deployed a DHCP server and users with their notebooks get their IP from DHCP depending on the MAC address of the ethernets. However, I could not find any way to determine that each users will get their assigned IP if they set up their IP statically for their W2K. To work this around I'm thinking to deploy identd on every client and periodically check against arping sweep to verifiy MAC addresses with users. Does anyone have a suggestion? Regards, Oyku Gencay -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
On Mon, Feb 18, 2002 at 06:16:13PM +0200, Oyku Gencay wrote:
Hi,
I wonder if any of you has faced such a problem. We have deployed a DHCP server and users with their notebooks get their IP from DHCP depending on the MAC address of the ethernets. However, I could not find any way to determine that each users will get their assigned IP if they set up their IP statically for their W2K. To work this around I'm thinking to deploy identd on every client and periodically check against arping sweep to verifiy MAC addresses with users. Does anyone have a suggestion?
What do you want to achieve? Adresses being used twice? (Many DHCP servers try a ping on IP address before giving out a lease, and many clients do the same, they check via ARP whether the IP address is not in use by some other host.) Or do you want to prevent people from using addresses they are not supposed to use? Unfortunately, there is no way to enforce an IP, not even the usage of DHCP on a client. DHCP allows for authentication, but AFAIK so far noone hs implemented it. I would run arpwatch. Peter -- VFS: Busy inodes after unmount. Self-destruct in 5 seconds. Have a nice day...
Actually I want to prevent two things. Since the installation is done at a collage the users are not considered trustworty. Considering two users A and B with notebooks with ethernet addresses MAC1, MAC2. Each Scenario 1: When user A is not online, user B changes his/her IP to A's IP and tries to hack in. The logs will show that hte user A has tried to do so. Scenario 2: User B tries to disconnect and annoy user A by statically setting his IP to user A's assigned IP. Since the dhcpd server tries to give depending on the MAC address, the user A will never get connected. Isn't this a nice problem :) Peter Poeml wrote:
On Mon, Feb 18, 2002 at 06:16:13PM +0200, Oyku Gencay wrote:
Hi,
I wonder if any of you has faced such a problem. We have deployed a DHCP server and users with their notebooks get their IP from DHCP depending on the MAC address of the ethernets. However, I could not find any way to determine that each users will get their assigned IP if they set up their IP statically for their W2K. To work this around I'm thinking to deploy identd on every client and periodically check against arping sweep to verifiy MAC addresses with users. Does anyone have a suggestion?
What do you want to achieve? Adresses being used twice? (Many DHCP servers try a ping on IP address before giving out a lease, and many clients do the same, they check via ARP whether the IP address is not in use by some other host.)
Or do you want to prevent people from using addresses they are not supposed to use?
Unfortunately, there is no way to enforce an IP, not even the usage of DHCP on a client.
DHCP allows for authentication, but AFAIK so far noone hs implemented it.
I would run arpwatch.
Peter
Actually I want to prevent two things. Since the installation is done at a collage the users are not considered trustworty. Unfortunately you can't even trust on MAC addresses - most network adapters allow the user to change the MAC address. Such techniques are not used very often, I think, but it shows you that you are never secure in
On Mon, 18 Feb 2002, Oyku Gencay wrote: this way. Anyway, iptables allows you to filter services per MAC address and some other nice things, but any unauthenticated user should be treated as anonymous, no matter which ip/mac he may be using. Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
Yes you are right. Even the fact that, this is a controlled environment, I want to do as much check as possible before I accept the user as being anonymous. They also log into a M$ PDC (Samba). MAC check in iptables is not feasible because it means hundreds of lines for each and every package. I think it'd best to check multiple things. MAC, SMB pwd, ident check. Markus Gaugusch wrote:
On Mon, 18 Feb 2002, Oyku Gencay wrote:
Actually I want to prevent two things. Since the installation is done at a collage the users are not considered trustworty.
Unfortunately you can't even trust on MAC addresses - most network adapters allow the user to change the MAC address. Such techniques are not used very often, I think, but it shows you that you are never secure in this way. Anyway, iptables allows you to filter services per MAC address and some other nice things, but any unauthenticated user should be treated as anonymous, no matter which ip/mac he may be using.
Markus
Sounds like you need to do two things: 1 - utilize MAC based vlans on your edge switches. Some vendors allow you to create dynamic MAC based vlans that remain persistent to a port for a definable period of time. 2 - create a script that dhcpd feed and creates static arp entries on the client's local gateways. For additional protection, you can also configure you switches to allow node ports to only speak with gateway ports. This will prevent nodes from speaking with each other. At 09:19 PM 2/18/2002 +0200, Oyku Gencay wrote:
Actually I want to prevent two things. Since the installation is done at a collage the users are not considered trustworty. Considering two users A and B with notebooks with ethernet addresses MAC1, MAC2. Each Scenario 1: When user A is not online, user B changes his/her IP to A's IP and tries to hack in. The logs will show that hte user A has tried to do so. Scenario 2: User B tries to disconnect and annoy user A by statically setting his IP to user A's assigned IP. Since the dhcpd server tries to give depending on the MAC address, the user A will never get connected.
Isn't this a nice problem :)
Peter Poeml wrote:
On Mon, Feb 18, 2002 at 06:16:13PM +0200, Oyku Gencay wrote:
Hi,
I wonder if any of you has faced such a problem. We have deployed a DHCP server and users with their notebooks get their IP from DHCP depending on the MAC address of the ethernets. However, I could not find any way to determine that each users will get their assigned IP if they set up their IP statically for their W2K. To work this around I'm thinking to deploy identd on every client and periodically check against arping sweep to verifiy MAC addresses with users. Does anyone have a suggestion? What do you want to achieve? Adresses being used twice? (Many DHCP servers try a ping on IP address before giving out a lease, and many clients do the same, they check via ARP whether the IP address is not in use by some other host.) Or do you want to prevent people from using addresses they are not supposed to use? Unfortunately, there is no way to enforce an IP, not even the usage of DHCP on a client. DHCP allows for authentication, but AFAIK so far noone hs implemented it. I would run arpwatch. Peter
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- brandon@2i.com
Brandon Hines wrote:
Sounds like you need to do two things:
1 - utilize MAC based vlans on your edge switches. Some vendors allow you to create dynamic MAC based vlans that remain persistent to a port for a definable period of time.
already done that, still looking for how to impement time limit
2 - create a script that dhcpd feed and creates static arp entries on the client's local gateways.
hmm. sounds nice.
For additional protection, you can also configure you switches to allow node ports to only speak with gateway ports. This will prevent nodes from speaking with each other.
they need to talk to each other
At 09:19 PM 2/18/2002 +0200, Oyku Gencay wrote:
Actually I want to prevent two things. Since the installation is done at a collage the users are not considered trustworty. Considering two users A and B with notebooks with ethernet addresses MAC1, MAC2. Each Scenario 1: When user A is not online, user B changes his/her IP to A's IP and tries to hack in. The logs will show that hte user A has tried to do so. Scenario 2: User B tries to disconnect and annoy user A by statically setting his IP to user A's assigned IP. Since the dhcpd server tries to give depending on the MAC address, the user A will never get connected.
Isn't this a nice problem :)
Peter Poeml wrote:
On Mon, Feb 18, 2002 at 06:16:13PM +0200, Oyku Gencay wrote:
Hi,
I wonder if any of you has faced such a problem. We have deployed a DHCP server and users with their notebooks get their IP from DHCP depending on the MAC address of the ethernets. However, I could not find any way to determine that each users will get their assigned IP if they set up their IP statically for their W2K. To work this around I'm thinking to deploy identd on every client and periodically check against arping sweep to verifiy MAC addresses with users. Does anyone have a suggestion?
What do you want to achieve? Adresses being used twice? (Many DHCP servers try a ping on IP address before giving out a lease, and many clients do the same, they check via ARP whether the IP address is not in use by some other host.) Or do you want to prevent people from using addresses they are not supposed to use? Unfortunately, there is no way to enforce an IP, not even the usage of DHCP on a client. DHCP allows for authentication, but AFAIK so far noone hs implemented it. I would run arpwatch. Peter
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- brandon@2i.com
On Monday 18 February 2002 07:16 am, Oyku Gencay wrote:
Hi,
I wonder if any of you has faced such a problem. We have deployed a DHCP server and users with their notebooks get their IP from DHCP depending on the MAC address of the ethernets. However, I could not find any way to determine that each users will get their assigned IP if they set up their IP statically for their W2K. T
The dhcp standard requires the server to see if the ip is in use (by pinging it) prior to issuing any given ip. So if they just assign an ip chances are it will be available and not issued by the dhcp server as long as.. 1) the laptops were on first before any dynamic ip stations 2) you give a long lease time (several days). This is so because the same mac address will get the same ip unless the lease has expired and it was handed out to another machine. (At least this is whats supposed to happen according to the rfc). If the lease has not expired - or - the box with the static is already on, there will be no problem. However, if dhcpd gives an ip and THEN another user turns on a laptop that has that IP hardcoded then there is trouble. For this reason, its better to use static ips only for servers (print server boxes, file servers, etc) and have lap tops get dynamic ips. The servers are more likely to be on before the dhcp server starts issuing leases. Hard coded ips are more appropriate for server type machines than laptops. (BTW windows defaults to dunamic ips, you have to go to some trouble to get static ones). Failing that, just reserve an IP range for machines with hard coded ips. Why do the laptops need hard coded IPs? -- _________________________________ John Andersen / Juneau Alaska
Hi, Laptop's do not require hard coded IP, but I want to relate IP's with MACS to be able to easily track logs. Also I didn't see how I can assign a pool of IP to a set of MAC addresses. Servers sure have static IPs. John Andersen wrote:
On Monday 18 February 2002 07:16 am, Oyku Gencay wrote:
Hi,
I wonder if any of you has faced such a problem. We have deployed a DHCP server and users with their notebooks get their IP from DHCP depending on the MAC address of the ethernets. However, I could not find any way to determine that each users will get their assigned IP if they set up their IP statically for their W2K. T
The dhcp standard requires the server to see if the ip is in use (by pinging it) prior to issuing any given ip.
So if they just assign an ip chances are it will be available and not issued by the dhcp server as long as.. 1) the laptops were on first before any dynamic ip stations 2) you give a long lease time (several days).
This is so because the same mac address will get the same ip unless the lease has expired and it was handed out to another machine. (At least this is whats supposed to happen according to the rfc). If the lease has not expired - or - the box with the static is already on, there will be no problem.
However, if dhcpd gives an ip and THEN another user turns on a laptop that has that IP hardcoded then there is trouble.
For this reason, its better to use static ips only for servers (print server boxes, file servers, etc) and have lap tops get dynamic ips. The servers are more likely to be on before the dhcp server starts issuing leases. Hard coded ips are more appropriate for server type machines than laptops. (BTW windows defaults to dunamic ips, you have to go to some trouble to get static ones).
Failing that, just reserve an IP range for machines with hard coded ips.
Why do the laptops need hard coded IPs?
Hi, On 19-Feb-02 Oyku Gencay wrote:
Hi, Laptop's do not require hard coded IP, but I want to relate IP's with MACS to be able to easily track logs. Also I didn't see how I can assign a pool of IP to a set of MAC addresses. Servers sure have static IPs.
Another open point for me. How can an linuxbased dhcp-server authorized in the
AD (Active Directory) when W2K is running on the notebook or within the lan.
I've learned that W2K disallow the function of dhcp-servers when it doesn't
authorized in AD.
Regards,
Ruprecht
----------------------------------
E-Mail: Ruprecht Helms
participants (6)
-
Brandon Hines
-
John Andersen
-
Markus Gaugusch
-
Oyku Gencay
-
Peter Poeml
-
Ruprecht Helms