From owner-freebsd-questions@FreeBSD.ORG Fri Mar 24 07:39:54 2006 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DBB3B16A400 for ; Fri, 24 Mar 2006 07:39:53 +0000 (UTC) (envelope-from norgaard@locolomo.org) Received: from strange.daemonsecurity.com (59.Red-81-33-11.staticIP.rima-tde.net [81.33.11.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id F3B8243D48 for ; Fri, 24 Mar 2006 07:39:52 +0000 (GMT) (envelope-from norgaard@locolomo.org) Received: from [192.168.0.16] (unknown [192.168.0.16]) by strange.daemonsecurity.com (Postfix) with ESMTP id 8AF612E041; Fri, 24 Mar 2006 08:39:58 +0100 (CET) Message-ID: <4423A23E.4010700@locolomo.org> Date: Fri, 24 Mar 2006 08:39:42 +0100 From: =?ISO-8859-1?Q?Erik_N=F8rgaard?= Organization: Locolomo.ORG User-Agent: Thunderbird 1.5 (X11/20060312) MIME-Version: 1.0 To: Mark Jayson Alvarez References: <20060324062540.78420.qmail@web51601.mail.yahoo.com> In-Reply-To: <20060324062540.78420.qmail@web51601.mail.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: questions@freebsd.org Subject: Re: How do you keep users from stealing other user's ip?? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Mar 2006 07:39:54 -0000 Mark Jayson Alvarez wrote: > Good day, > > > We are trying to reorganize our local area network and I need some tips on how you are managing your own lan... > > We have a vanilla pc router with interface facing our private lan and interface facing the Internet. > > One problem which we are experiencing right now is that any user from private lan can use any ip address he wants. If he boots his computer with a stolen ip address, the poor owner of that machine(not active at the moment) will give automatically up his ip address to this user. The same scenario for public ip addresses. Basically, we need to track down the users through their ip address.. But this is trivial as of now since anyone can use any ip he wants. Even if there is a solution out there to tie up his mac address to his ip address..(sort of checking the mac first before giving him an ip, possibly through dhcp..) still, users can just download applications which will enable him to change his mac address.... > > Now, where thinking about authenticating users before he is allowed to use a particular network service(internet proxy, mail etc.) because I guess it is a clever way of keeping the bad users from doing something bad within your network when after all, the reason why he is plugging his lancard to the network is to use a particular service. However, it still doesn't keep them from playing around and steal other ip addresses or mac addresses and thus denying network access to those legitimate owners. I'm thinking about tying dhcp with authentication, and freeradius comes to mind.. I just need some more tips from you. User's workstations are mixed Windows and *nixes. Some have laptops with wireless interfaces. > > Any idea how to handle this situations?? I once set up such a solution in a student house with about 120 users. People had their own private pcs so we couldn't just take away their admin rights on their own pc. Now, question to ask: - Are all users legitimate users? Do users have friends coming in and connect to the network? is it wired or do you have neighbors trying to use the net also? - What is the benefit of stealing another users ip? Do you have limitations on access such as download? Is it to hide behind another user? In our case we had a wired network, so all users was legitimate users, but we had a limitation on download so some users would try to use their neighbors ip to get more quota. What we did was: 1) Static ip assigned with dhcp - people wouldn't need to learn to configure their computer. 2) Static arp table on router, to spoof, one would have to spoof mac-address. 3) Require registration of all hosts owned by the user: To hold users accountable for their hosts. 4) Count traffic per host, up and download, this was done with ipfilter. 5) Make current usage visible, the users could always check their quota and knew when they hit the limit. That way they didn't get surprises and annoyed. This actually worked fine. It was sufficiently complicated to spoof that people wouldn't bother. A different and possibly better way around this would be to limit bandwidth for ports higher than 1023, this is where most file sharing takes place. You can do that with packet filter, I still haven't figured how to effectively implement traffic quotas on packet filter as accounting is not so easy. If your concerns are people trying to hide behind others identity, or unauthorized access such as if you have a wireless lan, then there are two good options: 1) Use authpf with packet filter. This requires the user to authenticate with the firewall to get access. No proxy needed. 2) Let each client establish a VPN to the router, this have the advantage of also encrypting traffic if you have a wireless or non-switched network. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9