Re: NIS/NFS alternatives? - dhcp

To: debian-user@lists.debian.org
Subject: Re: NIS/NFS alternatives? - dhcp
From: dman <dsh8290@rit.edu>
Date: Sun, 7 Oct 2001 19:14:21 -0400
Message-id: <[🔎] 20011007191421.B9403@harmony.cs.rit.edu>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20011007144538.A7231@cistron.nl>; from miquels@cistron.nl on Sun, Oct 07, 2001 at 02:45:38PM +0200
References: <[🔎] 20011006184035.A4797@cistron.nl> <[🔎] Pine.LNX.3.96.1011006204731.25400A-100000@Maggie.Linux-Consulting.com> <[🔎] 20011007144538.A7231@cistron.nl>

On Sun, Oct 07, 2001 at 02:45:38PM +0200, Miquel van Smoorenburg wrote:
| According to Alvin Oga:
| > hi ya miquel
| > 
| > > > if you are worried about security.... 
| > > > 	- disable dhcp and use all ip# defined by the "mask"
| > > 
| > > That doesn't make much sense.
| > 
| > if one has a class-C ip# ..and only using 20 ip# out of the range..
| > it is easy for someone to plug in an unauthorise machine into
| > your network... and sniff anything they like..
| 
| You don't need an IP number to sniff the network. If someone can
| plugin to your network you're compromised anyway.

True -- a passive ethernet frame sniffer can be plugged in.

| > 	- laptops being plugged in w/ security audit is a prime example
| > 	of someone plugging stuff in w/o telling anybody
| > 
| > 	- the laptops could have been hacked while on the home lan
| > 	and now gets to transfer itself to the secure office lna
| > 
| > - so to prevent that... i disable dhcp ... and use the proper 
| >   broadcast and netmasks  needed to eliminated un-used ip# that
| >   could be used by floating laptops 
| 
| If you use 20 out of 32 IP addresses, the attacker can still guess
| an IP number by listening for ARP requests and guessing which
| range you use. It's simple. Even if you use the whole range there's
| always one PC or laptop turned off so that it's IP address is free.

Yeah, it can be fun to steal IPs sometimes.  For example I don't have
DHCP set up at home.  When I brought a laptop from work (it had win2k,
but that is irrelevant) home I had to give it a static IP.  When I
took it back to the office I had to reset it to use a dynamic IP.
This is a pain so I simply picked an IP that wasn't being used at work
and used it statically.  This worked great because both networks were
in 192.168.0.0/24 and had 192.168.0.1 as the gateway.

| Even if you use a switch and put MAC address filters on the
| switch an attacker can simply unplug an existing PC / laptop
| and take over its MAC address.

No, the MAC adress is in the ethernet card, not the outlet in the
wall.  I even have actual experience with this.  I have taken a laptop
to school.  In the 2 labs I spend most of my time in there are no
spare ethernet jacks.  I simply unplug one of the 'doze2k boxen and
plug my woody laptop in.  Still, even though I brought up the
interface using DHCP and got an IP I could only reach the classs C I
was on, the DNS server, and a certain web site.  After talking with
the admin of the labs I learned that ISC only routes host's whose MAC
address is in their database and associated with a username.  The web
site I could access is the internal site used to register the MAC with
the username.  Now that I have registered the MAC I get routed
properly.

-D

Reply to:

Follow-Ups:
- Re: NIS/NFS alternatives? - dhcp
  - From: Blars Blarson <blarson@blars.org>
- Re: NIS/NFS alternatives? - dhcp
  - From: miquels@cistron-office.nl (Miquel van Smoorenburg)
- Re: NIS/NFS alternatives? - dhcp
  - From: martin f krafft <madduck@madduck.net>

References:
- Re: NIS/NFS alternatives?
  - From: Miquel van Smoorenburg <miquels@cistron.nl>
- Re: NIS/NFS alternatives? - dhcp
  - From: Alvin Oga <aoga@Maggie.Linux-Consulting.com>
- Re: NIS/NFS alternatives? - dhcp
  - From: Miquel van Smoorenburg <miquels@cistron.nl>

Prev by Date: ether-wake / Wake On Lan setup
Next by Date: Boot Process
Previous by thread: Re: NIS/NFS alternatives? - dhcp
Next by thread: Re: NIS/NFS alternatives? - dhcp
Index(es):
- Date
- Thread