Re: NIS/NFS alternatives? - dhcp - exactly
hi ya miquel
yes !!! i agree ...
> > if one has a class-C ip# ..and only using 20 ip# out of the range..
> > it is easy for someone to plug in an unauthorise machine into
> > your network... and sniff anything they like..
> You don't need an IP number to sniff the network. If someone can
> plugin to your network you're compromised anyway.
yes ... i agree...
> > - laptops being plugged in w/ security audit is a prime example
> > of someone plugging stuff in w/o telling anybody
> > - the laptops could have been hacked while on the home lan
> > and now gets to transfer itself to the secure office lna
> > - so to prevent that... i disable dhcp ... and use the proper
> > broadcast and netmasks needed to eliminated un-used ip# that
> > could be used by floating laptops
> If you use 20 out of 32 IP addresses, the attacker can still guess
> an IP number by listening for ARP requests and guessing which
> range you use. It's simple. Even if you use the whole range there's
> always one PC or laptop turned off so that it's IP address is free.
i like having all laptops on their own private lan ... that can't
be sniffing the main traffic...
yes ... the attacker/cracker/curiousity seeker can do anything
to poke around ...
- if they are on site ... you're sorta compromised anyway ...
- most compromizes are internal ( employees by accident or
unknowing/clueless employee and sometimes purposely..
i typically wanna minize the risk from tom/dick/harry that works
his laptop at home and brings into work ... and unknowingly installs
all kinds of "hacker toys"... in the corp lan...
not easy to to do without annoying a few along the way...
am more worried about
nothing much we can do about knowledeable or determined [cr/h]ackers..
unless the budget is in place to defend against them ...
there is plenty common sense things to do to minimize the generic
script kiddies and generic "clueless secretaries/ceo/managers" ...
to protect the company's data/budget/costs from themself...
anyway ... i think its fun stuff....
- we wont even get into wireless hubbs ... more problems... :-)
> Even if you use a switch and put MAC address filters on the
> switch an attacker can simply unplug an existing PC / laptop
> and take over its MAC address.
> Turning off DHCP will help against clueless users that plugin a
> laptop but those aren't the hackers you're trying to guard against.
> Basically what you are now talking about is physical,
> on-site security.
> Move sig.