Re: Preventing DHCP from allocating IPs

you need to use SPAN port... /gene

jon kintner wrote:
> I don't know if it's impossibe, but isn't sniffing traffic on a switched
> network more difficult?
>
> -jon
>
> ----- Original Message -----
> From: "Tony Meman" <none_at_superig.com.br>
> To: <security-basics_at_securityfocus.com>
> Sent: Saturday, December 07, 2002 3:29 PM
> Subject: Re: Preventing DHCP from allocating IPs
>
>
>
>>Someone could just sniff the traffic, collect some valid MAC addresses
>>and use one of
>>them when some box is down. MAC spoofing is trivial.
>>
>>Regards,
>>
>>--
>>none
>>
>>Hasnain Atique wrote:
>>
>>
>>>My solution was somewhat more elaborate.
>>>
>>>I'd separated the network into sections, each connecting to a "backbone"
>>
> of
>
>>>sorts. Each segment is physically separate with a Linux
>>>router/gateway/firewall linking the section to the backbone. Each Linux
>>
> box
>
>>>knows which MAC addresses are valid within its segment and only allows
>>
> that
>
>>>through to the backbone. DHCP within each segment allocates IP addresses
>>
> to
>
>>>known MACs only.
>>>
>>>Net result is that, unknown MAC addresses firstly don't get a DHCP
>>>allocation, and secondly can't make it outside of the local segment. Even
>>
> if
>
>>>a smart user were to pick and choose an unused IP and used the right
>>
> gateway
>
>>>address, because of MAC filtering they will be limited to the local
>>
> segment.
>
>>>The downside is that every single MAC address has to be known before
>>
> putting
>
>>>this in place (it's easily done with arpwatch), and there will be
>>
> multiple
>
>>>gateways to maintain. But depending on your level of paranoia you'll
>>>probably like it.
>>>
>>>Finally, I certainly wouldn't want to automate the process of learning
>>
> MAC
>
>>>addresses and updating DHCP allocation accordingly. Defeats the entire
>>>purpose!!
>>>
>>>
>>
>>
>
>

-- 
Gene Yoo, gyoo_at_attbi.com