RE: DHCP through RAS

• Previous message: Marc Fossi: "Article Announcements"
• Maybe in reply to: Jason Humes: "DHCP through RAS"
• Next in thread: jamesworld_at_intelligencia.com: "Re: DHCP through RAS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Jason Humes'" <jhumes@acs.on.ca>, "'focus-ms@securityfocus.com'" <focus-ms@securityfocus.com>
Date: Tue, 2 Mar 2004 11:20:37 -0600 

Its fairly complex to detect someone grabbing an IP from your DHCP
server and then using NAT to share that connection. There have been a
few research papers on the topic:

http://www.sflow.org/detectNAT/ - Detecting NAT
http://www.research.att.com/~smb/papers/fnat.pdf - Counting NAT hosts

The techniques look sound, but I am not aware of any tool that would
combine them into a method of then blocking that host from routing on
your network.

You can resolve some of your DHCP problems by configuring your DHCP
server to not assing addresses to clients that send the option Default
User Class set to block RAS or to assign non routable addresses to
clients that don't contain an ID that you specify. It will not help you
with NATing access devices that may be requesting IPs. Some of these may
not support the MS class option and you could block those, but not all.

Basically you can slow some people down, but you wont be able to block
this entirely unless you use VPN technology for connecting to your
service that would block the sharing and routing of the VPN connection.
I believe the Cisco VPN client effectively does this and I am sure
others are capable. It would also eliminate any NON-PC device from
connecting as they wont have the client SW installed.

-M

-----Original Message-----
From: Jason Humes [mailto:jhumes@acs.on.ca]
Sent: Monday, March 01, 2004 3:31 PM
To: 'focus-ms@securityfocus.com'
Subject: DHCP through RAS

Hi
We provide access-controlled internet in a public area through the use
of an
access-controller. Usernames for authentication to the AC are given out
manually and IPs are distributed via W2K DHCP Server. The problem is
that
we don't want users installing access-points or other access mechanisms
onto
the network and doing some second level sharing of the internet feed. I
mean, if I look at the DHCP server leases, most of the leases are plain
old
PCs, but there are a couple that show up as RAS under the "unique ID"
field
and the "Name" field matches that of another...this means that the
person
showing up as RAS is connecting THROUGH the matched Name...correct? Is
there any way in W2K DHCP to stop this? The access-controller works by
source IP address, and the IP would be the same for both PCs and
therefore
allowed through to the internet. Thanks

Jason D. Humes
 

---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with
Astaro Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost
of ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_focus-ms_040301
---------------------------------------------------------------------------

• Previous message: Marc Fossi: "Article Announcements"
• Maybe in reply to: Jason Humes: "DHCP through RAS"
• Next in thread: jamesworld_at_intelligencia.com: "Re: DHCP through RAS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]