[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: checking the not allowed changing of IP's



Hi

On Tue, Oct 16, 2001 at 07:22:31AM -0400, Josh Rollyson wrote:
> On Fri, Oct 12, 2001 at 12:51:27PM +0200, Szab? Tam?s wrote:
> > Hi!
> > 
> > The scenario is the following:
> > 
> > We got a LAN which consists of several hosts running windows
> > 2000 and one running Debian 2.2rev3(kernel 2.2.19). This
> > Debian has an extra interface through which is connected to
> > the ISP.
> > 
> > The internal hosts should have access to the internet(only
> > to a few services) through proxies running on the Debian
> > machine.
> > 
> > This simple configuration is set up and running.
> > 
> > The logging of the internet activity is done based on the IP
> > addresses, so our policy doesn't allow changing of IP
> > addresses. But currently there will be no notification of
> > the fact if someone changes it's IP. So I'm looking for a
> > solution for this...
> > 
> > Are there some nice utilities for this?
> > 
> > I could write a script and put it in crontab to check the ARP-IP
> > association of hosts periodicaly.
> > But probably there are already some written, tested utilities out there.
> > Right?
> > 
> > Another thought:
> > As I know in Linux I can use whatever MAC address I want(ifconfig allows
> > me to choose one). I know that this is not really a Debian question but
> > does somebody know if this is possible in win2000 too?
> > If yes then this method of checking the ARP-IP association won't be
> > reliable.
> Some network cards won't allow this, and afaik no winblows product will.
> 
> A switch with static arp tables is a more drastic solution if
> you really need this kind of spoofed IP protection. That way
> each machine has its own port on the switch, which only allows
> the MAC address for that machine and that machine only on that
> port.  You would probably be well advised to set up static ARP
> tables on the firewall as well (just be aware that if you
> change a network card you have to update this :)

> As other have suggested, arpwatch is also a good idea.
> > 
> > Is there another way to check if someone changed it's IP?
> See above.

Why not use usernames to allow/deny services instead of IP
addresses?  Then you avoid the whole problem of people changing
IP addresses and get rid of the incentive too.  (The only
problem with this is that you increase the incentive for
sniffing, which can be done on switches if you spoof MAC
addresses and your switch isn't configured to use a static arp
table.)

Squid supports authentication based on user/pass, and other
proxies often do too.

-- 
Michael Wood
mwood@its.uct.ac.za



Reply to: