Re: NIS/NFS alternatives? - dhcp
According to Alvin Oga:
> hi ya miquel
>
> > > if you are worried about security....
> > > - disable dhcp and use all ip# defined by the "mask"
> >
> > That doesn't make much sense.
>
> if one has a class-C ip# ..and only using 20 ip# out of the range..
> it is easy for someone to plug in an unauthorise machine into
> your network... and sniff anything they like..
You don't need an IP number to sniff the network. If someone can
plugin to your network you're compromised anyway.
> - laptops being plugged in w/ security audit is a prime example
> of someone plugging stuff in w/o telling anybody
>
> - the laptops could have been hacked while on the home lan
> and now gets to transfer itself to the secure office lna
>
> - so to prevent that... i disable dhcp ... and use the proper
> broadcast and netmasks needed to eliminated un-used ip# that
> could be used by floating laptops
If you use 20 out of 32 IP addresses, the attacker can still guess
an IP number by listening for ARP requests and guessing which
range you use. It's simple. Even if you use the whole range there's
always one PC or laptop turned off so that it's IP address is free.
Even if you use a switch and put MAC address filters on the
switch an attacker can simply unplug an existing PC / laptop
and take over its MAC address.
Turning off DHCP will help against clueless users that plugin a
laptop but those aren't the hackers you're trying to guard against.
Basically what you are now talking about is physical,
on-site security.
Mike.
--
Move sig.
Reply to: