Security Basics mailing list archives
Re: Preventing DHCP from allocating IPs
From: Gene <gyoo () attbi com>
Date: Tue, 10 Dec 2002 15:02:19 -0800
you need to use SPAN port... /gene jon kintner wrote:
I don't know if it's impossibe, but isn't sniffing traffic on a switched network more difficult? -jon ----- Original Message ----- From: "Tony Meman" <none () superig com br> To: <security-basics () securityfocus com> Sent: Saturday, December 07, 2002 3:29 PM Subject: Re: Preventing DHCP from allocating IPsSomeone could just sniff the traffic, collect some valid MAC addresses and use one of them when some box is down. MAC spoofing is trivial. Regards, -- none Hasnain Atique wrote:My solution was somewhat more elaborate. I'd separated the network into sections, each connecting to a "backbone"ofsorts. Each segment is physically separate with a Linux router/gateway/firewall linking the section to the backbone. Each Linuxboxknows which MAC addresses are valid within its segment and only allowsthatthrough to the backbone. DHCP within each segment allocates IP addressestoknown MACs only. Net result is that, unknown MAC addresses firstly don't get a DHCP allocation, and secondly can't make it outside of the local segment. Evenifa smart user were to pick and choose an unused IP and used the rightgatewayaddress, because of MAC filtering they will be limited to the localsegment.The downside is that every single MAC address has to be known beforeputtingthis in place (it's easily done with arpwatch), and there will bemultiplegateways to maintain. But depending on your level of paranoia you'll probably like it. Finally, I certainly wouldn't want to automate the process of learningMACaddresses and updating DHCP allocation accordingly. Defeats the entire purpose!!
-- Gene Yoo, gyoo () attbi com
Current thread:
- Re: Preventing DHCP from allocating IPs, (continued)
- Re: Preventing DHCP from allocating IPs Pauling (Dec 04)
- Re: Preventing DHCP from allocating IPs Tony Meman (Dec 06)
- RE: Preventing DHCP from allocating IPs Rick Darsey (Dec 04)
- Re: Preventing DHCP from allocating IPs jon kintner (Dec 04)
- RE: Preventing DHCP from allocating IPs Sarbjit Singh Gill (Dec 05)
- Re: Preventing DHCP from allocating IPs Hasnain Atique (Dec 06)
- RE: Preventing DHCP from allocating IPs Sarbjit Singh Gill (Dec 06)
- Re: Preventing DHCP from allocating IPs Hasnain Atique (Dec 06)
- Re: Preventing DHCP from allocating IPs Tony Meman (Dec 09)
- Re: Preventing DHCP from allocating IPs jon kintner (Dec 09)
- Re: Preventing DHCP from allocating IPs Gene (Dec 11)
- Re: Preventing DHCP from allocating IPs Tony Meman (Dec 12)
- Re: Preventing DHCP from allocating IPs Pauling (Dec 04)