Re: Visitor based netoworking
El mié, 11 de 06 de 2003 a las 12:40, Keegan Quinn escribió:
> On Wednesday 11 June 2003 02:53 am, Stefan Neufeind wrote:
> > I took a look at nocat and it really seems to do almost the things
> > I'm looking for *g* Thank you.
> > But I have a recommendation / question: Wouldn't it be possible to
> > also check the MAC of clients on the net? This way we could make IP-
> > hijacking (as written in the nocat-whitepaper) a lot harder I think.
> > Unfortunately I don't know if this is possible with something like
> > iptables - since mac-addresses work on a different (lower) layer.
> Sure. The problem is that NoCat is designed for wireless networks, and you
> cannot trust MAC addresses from them - they are too easily spoofed. I think
> wired networks may suffer from the same issue, but have not verified this.
> FWIW, NoCatAuth already -does- match MAC addresses with IP addresses, unless
> you disable it.
> If you really need control down to the individual port, just get a box with a
> very large number of network interfaces, instead of a switch, and hack
> NoCatAuth to operate based on physical interface instead of addressing.
On Wired networks its not so easy to cheat the mac address, this number
is set uniquely for each card in the world (or so my teacher said).
Anyhow, its probably not all that hard either, but i think its a good
enough solution for controlled corporative environment where all you
want is to apply policies per user and such.
> - Keegan