Re: Preventing DHCP from allocating IPs

From: jon kintner (jon.kintner@lvcm.com)
Date: 12/09/02

  • Next message: Johannes Ullrich: "Re: unexpected log entries"
    From: "jon kintner" <jon.kintner@lvcm.com>
    To: "Tony Meman" <none@superig.com.br>, <security-basics@securityfocus.com>
    Date: Mon, 9 Dec 2002 11:10:01 -0800
    
    

    I don't know if it's impossibe, but isn't sniffing traffic on a switched
    network more difficult?

    -jon

    ----- Original Message -----
    From: "Tony Meman" <none@superig.com.br>
    To: <security-basics@securityfocus.com>
    Sent: Saturday, December 07, 2002 3:29 PM
    Subject: Re: Preventing DHCP from allocating IPs

    > Someone could just sniff the traffic, collect some valid MAC addresses
    > and use one of
    > them when some box is down. MAC spoofing is trivial.
    >
    > Regards,
    >
    > --
    > none
    >
    > Hasnain Atique wrote:
    >
    > >My solution was somewhat more elaborate.
    > >
    > >I'd separated the network into sections, each connecting to a "backbone"
    of
    > >sorts. Each segment is physically separate with a Linux
    > >router/gateway/firewall linking the section to the backbone. Each Linux
    box
    > >knows which MAC addresses are valid within its segment and only allows
    that
    > >through to the backbone. DHCP within each segment allocates IP addresses
    to
    > >known MACs only.
    > >
    > >Net result is that, unknown MAC addresses firstly don't get a DHCP
    > >allocation, and secondly can't make it outside of the local segment. Even
    if
    > >a smart user were to pick and choose an unused IP and used the right
    gateway
    > >address, because of MAC filtering they will be limited to the local
    segment.
    > >
    > >The downside is that every single MAC address has to be known before
    putting
    > >this in place (it's easily done with arpwatch), and there will be
    multiple
    > >gateways to maintain. But depending on your level of paranoia you'll
    > >probably like it.
    > >
    > >Finally, I certainly wouldn't want to automate the process of learning
    MAC
    > >addresses and updating DHCP allocation accordingly. Defeats the entire
    > >purpose!!
    > >
    > >
    >
    >