Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

RE: Re: dhcp altering firewall rules
From: "Goldberg, Dan B" <Dan.B.Goldberg () usa xerox com>
Date: Mon, 07 May 2001 10:32:44 -0400

        I finally feel inclined to post to this list after nearly a year of
lurking! The original question as I read it was to create a restrictive set
of firewall rules that deny communications through the firewall based on
source address. As a computer requests an address from the DHCP server the
firewall rules are changed to allow that address to go through for a
specific period of time. If the goal is simply to enforce the use of DHCP
addresses the suggested models should work. I bet the cable companies have
(or ought to implement) this type of system. They control the wire and have
a financial requirement to restrict users from using more addresses than
they are paying for.
        If the goal is to perform monitoring, or auditing of usage through
the firewall, or restrict access by user or other criteria. I would suggest
there is a major security flaw in this (dhcp) model. The DHCP servers I have
used perform no authentication of the client. They hand addresses to anyone
who ask for one. Thus restricting rules on the firewall really gains nothing
as anyone connecting to the network gets an address and the firewall opens
up to let them through. This leaves a convoluted audit trail based on the
MAC address if all requests are logged. I would propose instead a different
model based on authentication and authorization of the individual user.
There are a number of ways to accomplish this. Using proxies or other
firewall products that require the user to present credentials (e.g.
username password or public key) that specifically identify the user. This
leaves a detailed audit trail and provides more granular control. 
        I have used Squid http://www.squid-cache.org (Web cache - Proxy with
SAMBA for this.) It is a function of several commercial firewall products.

Dan Goldberg

-- Original Message --

one 'hack' of a solution (not compromise hack, just .. a hack)

use atchange[1] to monitor the dhcp leases file. when it changes, call a
script that will rebuild the ipf.rules file (ie fill in the blank for
$IPADDR) and reload the firewall rules.

another solution is to treat your host as a member of a network, the DHCP
network your provider uses. chances are you wont have problems with
traffic intended for your neighbors, i think.

1. http://www.lecb.ncifcrf.gov/~toms/atchange.html
firewall-wizards mailing list
firewall-wizards () nfr com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]