Re: bridge detection

From: Joe Hood (joe.hood_at_gmail.com)
Date: 12/28/04

  • Next message: Matt Stern: "Boilerplate Contracts" 
    Date: Tue, 28 Dec 2004 12:40:49 -0500
To: security-basics@securityfocus.com

    If your clients use OpenBSD's packet scrubbing, you'll have difficulty
    discerning if there are NAT'ed machines behind their gateway.

    On Tue, 28 Dec 2004 09:29:49 -0800, David Gillett <gillettdavid@fhda.edu> wrote:
    > A router will use its own MAC address as the source. A bridge,
    > by definition, will not. (A proxy will use both its own MAC and
    > IP addresses, as will a router/firewall performing NAT.)
    > A bridge, therefore, is not an issue. But a router or proxy
    > can look like a single client device.
    >
    > Since this is a very hard problem to solve, ask yourself whether
    > you need to solve it! If you bill customers by metered usage, it
    > doesn't matter how many devices they use. If you're trying to
    > avoid supporting routers, tell your tech support staff not to
    > support them.
    >
    > About the only situation that really justifies concern about
    > this is that customers might share/resell your service to people
    > who might, otherwise, become customers themselves. Is there a
    > reason to assume this is a major problem?
    > If so, I think you'll do better with metering, speed caps, or
    > capping the number of simultaneous connections per IP address,
    > than trying to detect devices.
    >
    > David Gillett
    >
    >
    > > -----Original Message-----
    > > From: G.P.M [mailto:ice4ice@excite.com]
    > > Sent: Saturday, December 25, 2004 8:30 AM
    > > To: security-basics@securityfocus.com
    > > Subject: bridge detection
    > >
    > >
    > >
    > > hi,
    > > I was wondering are there any programs which can detect
    > > switches/routers, based as well on linux.
    > > The problem is that one company is setting up large LAN,
    > > with internet access, based on static ip/mac address, for
    > > paying reasons. Many clients seperate their connection, often
    > > giving mac of the bridge not the PC.
    > > i had many ideas about that, eg. checking the vendor for
    > > the mac, signal replays from the source.
    > > i worry also about 'clear' switches, non programmable ones.
    > >
    > > Could please someone give me some advise?
    > >
    > > sorry for my bad english.
    > >
    > > _______________________________________________
    > > Join Excite! - http://www.excite.com
    > > The most personalized portal on the Web!
    > >
    >

  • Next message: Matt Stern: "Boilerplate Contracts"

    Relevant Pages

    • Re: Client cannot connect to VPN server - others can
      ... It should support "VPN passthru". ... We setup RAS to allow only L2TP-EAP connections. ... Many clients can connect without any problems. ... These clients are often behind a router. ...
      (microsoft.public.windows.server.networking)
    • Re: Help - port attacks
      ... see Help and Support Center at ... Mike DeLong wrote: ... > I disconnected all clients and the router from the server ...
      (microsoft.public.windows.server.sbs)
    • Re: DHCP Server Options (Router)
      ... 121005 DHCP Options Supported by Clients ... Microsoft Technical Support ... >>router sees that a client wants to goto the internet then ...
      (microsoft.public.windows.server.networking)
    • Re: Re: SFM, SMB and ExtremeZ-IP - boiled down?
      ... >> The SMB Apple client keeps getting better and better. ... >> from Mac OS X clients to Windows Servers that may or may not ... > legal in Mac OS ... support those (and that may?ve ...
      (microsoft.public.win2000.macintosh)
    • Re: whats problem with router configuration
      ... Now I buy a wireless router and connect thru router. ... a single mac address registered at ... call their support and tell them the mac of your router if that is the case. ...
      (Debian-User)