[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: checking the not allowed changing of IP's



Michael Wood wrote:
> 
> Hi
> 
> On Tue, Oct 16, 2001 at 07:22:31AM -0400, Josh Rollyson wrote:
> > On Fri, Oct 12, 2001 at 12:51:27PM +0200, Szab? Tam?s wrote:
> > > Hi!
> > >
> > > The scenario is the following:
> > >
> > > We got a LAN which consists of several hosts running windows
> > > 2000 and one running Debian 2.2rev3(kernel 2.2.19). This
> > > Debian has an extra interface through which is connected to
> > > the ISP.
> > >
> > > The internal hosts should have access to the internet(only
> > > to a few services) through proxies running on the Debian
> > > machine.
> > >
> > > This simple configuration is set up and running.
> > >
> > > The logging of the internet activity is done based on the IP
> > > addresses, so our policy doesn't allow changing of IP
> > > addresses. But currently there will be no notification of
> > > the fact if someone changes it's IP. So I'm looking for a
> > > solution for this...
> > >
> > > Are there some nice utilities for this?
> > >
> > > I could write a script and put it in crontab to check the ARP-IP
> > > association of hosts periodicaly.
> > > But probably there are already some written, tested utilities out there.
> > > Right?
> > >
> > > Another thought:
> > > As I know in Linux I can use whatever MAC address I want(ifconfig allows
> > > me to choose one). I know that this is not really a Debian question but
> > > does somebody know if this is possible in win2000 too?
> > > If yes then this method of checking the ARP-IP association won't be
> > > reliable.
> > Some network cards won't allow this, and afaik no winblows product will.
> >
> > A switch with static arp tables is a more drastic solution if
> > you really need this kind of spoofed IP protection. That way
> > each machine has its own port on the switch, which only allows
> > the MAC address for that machine and that machine only on that
> > port.  You would probably be well advised to set up static ARP
> > tables on the firewall as well (just be aware that if you
> > change a network card you have to update this :)
> 
> > As other have suggested, arpwatch is also a good idea.
> > >
> > > Is there another way to check if someone changed it's IP?
> > See above.
> 
> Why not use usernames to allow/deny services instead of IP
> addresses?  Then you avoid the whole problem of people changing
> IP addresses and get rid of the incentive too.  (The only
> problem with this is that you increase the incentive for
> sniffing, which can be done on switches if you spoof MAC
> addresses and your switch isn't configured to use a static arp
> table.)
> 
> Squid supports authentication based on user/pass, and other
> proxies often do too.
> 
> --
> Michael Wood
> mwood@its.uct.ac.za
> 
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Ah bin, ah said ah bin hornswaggled ahgain !!!!



Reply to: