Re: Preventing DHCP from allocating IPs

From: jon kintner (jon.kintner@lvcm.com)
Date: 12/09/02

  • Next message: Johannes Ullrich: "Re: unexpected log entries"
    From: "jon kintner" <jon.kintner@lvcm.com>
    To: "Tony Meman" <none@superig.com.br>, <security-basics@securityfocus.com>
    Date: Mon, 9 Dec 2002 11:10:01 -0800
    
    

    I don't know if it's impossibe, but isn't sniffing traffic on a switched
    network more difficult?

    -jon

    ----- Original Message -----
    From: "Tony Meman" <none@superig.com.br>
    To: <security-basics@securityfocus.com>
    Sent: Saturday, December 07, 2002 3:29 PM
    Subject: Re: Preventing DHCP from allocating IPs

    > Someone could just sniff the traffic, collect some valid MAC addresses
    > and use one of
    > them when some box is down. MAC spoofing is trivial.
    >
    > Regards,
    >
    > --
    > none
    >
    > Hasnain Atique wrote:
    >
    > >My solution was somewhat more elaborate.
    > >
    > >I'd separated the network into sections, each connecting to a "backbone"
    of
    > >sorts. Each segment is physically separate with a Linux
    > >router/gateway/firewall linking the section to the backbone. Each Linux
    box
    > >knows which MAC addresses are valid within its segment and only allows
    that
    > >through to the backbone. DHCP within each segment allocates IP addresses
    to
    > >known MACs only.
    > >
    > >Net result is that, unknown MAC addresses firstly don't get a DHCP
    > >allocation, and secondly can't make it outside of the local segment. Even
    if
    > >a smart user were to pick and choose an unused IP and used the right
    gateway
    > >address, because of MAC filtering they will be limited to the local
    segment.
    > >
    > >The downside is that every single MAC address has to be known before
    putting
    > >this in place (it's easily done with arpwatch), and there will be
    multiple
    > >gateways to maintain. But depending on your level of paranoia you'll
    > >probably like it.
    > >
    > >Finally, I certainly wouldn't want to automate the process of learning
    MAC
    > >addresses and updating DHCP allocation accordingly. Defeats the entire
    > >purpose!!
    > >
    > >
    >
    >



    Relevant Pages

    • Re: Preventing DHCP from allocating IPs
      ... Each segment is physically separate with a Linux ... unknown MAC addresses firstly don't get a DHCP ... >> wants access to your network, they will have to come to you to obtain ...
      (Security-Basics)
    • Re: [SLE] Comcast and NAT
      ... > customer that were derived from the MAC address. ... DHCP servers support BOOTP client sematics (that is, here is my MAC address, ... DHCP supports three mechanisms for IP address allocation. ...
      (SuSE)
    • Re: Preventing DHCP from allocating IPs
      ... > Subject: Re: Preventing DHCP from allocating IPs ... MAC spoofing is trivial. ... Each segment is physically separate with a Linux ...
      (Security-Basics)
    • Re: Preventing DHCP from allocating IPs
      ... Someone could just sniff the traffic, collect some valid MAC addresses ... MAC spoofing is trivial. ... Each segment is physically separate with a Linux ... >allocation, and secondly can't make it outside of the local segment. ...
      (Security-Basics)
    • Re: Secure your DHCP
      ... I can only think of allocating via dhcp reservation using network card ... Create an exclusion of your whole DHCP scope (So no IP's are free to be ... assign each mac address an Ip address from what was in your pool. ...
      (microsoft.public.windows.server.sbs)