Re: NIS/NFS alternatives? - dhcp
On Sun, Oct 07, 2001 at 02:45:38PM +0200, Miquel van Smoorenburg wrote:
| According to Alvin Oga:
| > hi ya miquel
| >
| > > > if you are worried about security....
| > > > - disable dhcp and use all ip# defined by the "mask"
| > >
| > > That doesn't make much sense.
| >
| > if one has a class-C ip# ..and only using 20 ip# out of the range..
| > it is easy for someone to plug in an unauthorise machine into
| > your network... and sniff anything they like..
|
| You don't need an IP number to sniff the network. If someone can
| plugin to your network you're compromised anyway.
True -- a passive ethernet frame sniffer can be plugged in.
| > - laptops being plugged in w/ security audit is a prime example
| > of someone plugging stuff in w/o telling anybody
| >
| > - the laptops could have been hacked while on the home lan
| > and now gets to transfer itself to the secure office lna
| >
| > - so to prevent that... i disable dhcp ... and use the proper
| > broadcast and netmasks needed to eliminated un-used ip# that
| > could be used by floating laptops
|
| If you use 20 out of 32 IP addresses, the attacker can still guess
| an IP number by listening for ARP requests and guessing which
| range you use. It's simple. Even if you use the whole range there's
| always one PC or laptop turned off so that it's IP address is free.
Yeah, it can be fun to steal IPs sometimes. For example I don't have
DHCP set up at home. When I brought a laptop from work (it had win2k,
but that is irrelevant) home I had to give it a static IP. When I
took it back to the office I had to reset it to use a dynamic IP.
This is a pain so I simply picked an IP that wasn't being used at work
and used it statically. This worked great because both networks were
in 192.168.0.0/24 and had 192.168.0.1 as the gateway.
| Even if you use a switch and put MAC address filters on the
| switch an attacker can simply unplug an existing PC / laptop
| and take over its MAC address.
No, the MAC adress is in the ethernet card, not the outlet in the
wall. I even have actual experience with this. I have taken a laptop
to school. In the 2 labs I spend most of my time in there are no
spare ethernet jacks. I simply unplug one of the 'doze2k boxen and
plug my woody laptop in. Still, even though I brought up the
interface using DHCP and got an IP I could only reach the classs C I
was on, the DNS server, and a certain web site. After talking with
the admin of the labs I learned that ISC only routes host's whose MAC
address is in their database and associated with a username. The web
site I could access is the internal site used to register the MAC with
the username. Now that I have registered the MAC I get routed
properly.
-D
Reply to: