I don't know if it's impossibe, but isn't sniffing traffic on a switched
network more difficult?
-jon
----- Original Message -----
From: "Tony Meman" <none_at_superig.com.br>
To: <security-basics_at_securityfocus.com>
Sent: Saturday, December 07, 2002 3:29 PM
Subject: Re: Preventing DHCP from allocating IPs
> Someone could just sniff the traffic, collect some valid MAC addresses
> and use one of
> them when some box is down. MAC spoofing is trivial.
>
> Regards,
>
> --
> none
>
> Hasnain Atique wrote:
>
> >My solution was somewhat more elaborate.
> >
> >I'd separated the network into sections, each connecting to a "backbone"
of
> >sorts. Each segment is physically separate with a Linux
> >router/gateway/firewall linking the section to the backbone. Each Linux
box
> >knows which MAC addresses are valid within its segment and only allows
that
> >through to the backbone. DHCP within each segment allocates IP addresses
to
> >known MACs only.
> >
> >Net result is that, unknown MAC addresses firstly don't get a DHCP
> >allocation, and secondly can't make it outside of the local segment. Even
if
> >a smart user were to pick and choose an unused IP and used the right
gateway
> >address, because of MAC filtering they will be limited to the local
segment.
> >
> >The downside is that every single MAC address has to be known before
putting
> >this in place (it's easily done with arpwatch), and there will be
multiple
> >gateways to maintain. But depending on your level of paranoia you'll
> >probably like it.
> >
> >Finally, I certainly wouldn't want to automate the process of learning
MAC
> >addresses and updating DHCP allocation accordingly. Defeats the entire
> >purpose!!
> >
> >
>
>
Received on Dec 10 2002
Intro
