Re: Network Security
From: Angelus (no_email_at_address.com)
Date: 03/15/05
- Next message: Tommy Reynolds: "Re: My new linux oracle server swap :-("
- Previous message: H. Pophal: "FC3 automounter fails on iso image via loop device"
- In reply to: Moe Trin: "Re: Network Security"
- Next in thread: prg: "Re: Network Security"
- Reply: prg: "Re: Network Security"
- Reply: Tommy Reynolds: "Re: Network Security"
- Reply: prg: "Re: Network Security"
- Reply: Moe Trin: "Re: Network Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Tue, 15 Mar 2005 13:28:32 GMT
Moe Trin wrote:
> In article <1110800534.6052.0@damia.uk.clara.net>, Tom wrote:
>
>
>>I've been tasked to protect out network from unwanted clients
>>connecting. ie someone brings their laptopn in and plugs it in and can
>>get an IP adress etc.
>
>
> Yes, that's how DHCP works. To prevent this from happening, you can
> configure the DHCP server to only give out addresses to specific MAC
> addresses, which has all the security of a wet paper bag.
>
> If you really do want security, you start by having the "Powers that be"(tm)
> publish a organizational policy notice that everyone sees AND ACKNOWLEDGES
> (in writing if you're serious) that says no visiting computers. Next, you
> post big freakin signs at every entrance that clearly repeat that no
> visiting computers are allowed. When someone disregards this policy, you
> make an example of them - a severed head on a pole out in front of the
> entrance may get the message across.
>
>
>>I have used arpwatch to detect new anc changed mac addresses etc but
>>does anyone know a good to way to stop unauthorised clients from
>>connecting to the network? Is there a way where if your mac address is
>>not 'known' to us then we can stop it getting an IP from the DHCP server?
>
>
> As above - but notice that many network cards can have their hardware
> address set to anything - see the ifconfig man page.
I know the mac address is easily changed on unix machines. But just out
of curiosity, does anyone know if it can be changed that easily on a
windoze box?
>
>>We don't want to not use DHCP
>
>
> Why not? Do you have computers transiting all the time? That's really
> the only valid reason to have DHCP. If the systems are fixed, the only
> benefit you gain is the few seconds of not having to configure the host.
> If you use a fixed MAC to IP address scheme, then you will waste those
> few seconds having to add the MAC address to the DHCP server configuration
> file. If the computers are in fact transients, then your security model
> already has problems.
>
> And yes, I'm riding herd on 2000 computers where corporate policy is "NO
> VISITORS ALLOWED". We use a scheme similar to arpwatch, but also monitor
> the arp caches of the servers and routers trying to catch any idiot that
> feels corporate policy is wrong.
>
> Old guy
>
- Next message: Tommy Reynolds: "Re: My new linux oracle server swap :-("
- Previous message: H. Pophal: "FC3 automounter fails on iso image via loop device"
- In reply to: Moe Trin: "Re: Network Security"
- Next in thread: prg: "Re: Network Security"
- Reply: prg: "Re: Network Security"
- Reply: Tommy Reynolds: "Re: Network Security"
- Reply: prg: "Re: Network Security"
- Reply: Moe Trin: "Re: Network Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
