Date: Fri, 24 Mar 2006 10:40:00 +0100 From: =?ISO-8859-1?Q?Sten_Daniel_S=F8rsdal?= <lists@wm-access.no> To: Mark Jayson Alvarez <jay2xra@yahoo.com> Cc: freebsd-net@freebsd.org Subject: Re: How do you keep users from stealing other user's ip?? Message-ID: <4423BE70.2010807@wm-access.no> In-Reply-To: <20060324060140.86793.qmail@web51615.mail.yahoo.com> References: <20060324060140.86793.qmail@web51615.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig9E6FCDB69FE34BE84195AD98 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Mark Jayson Alvarez wrote: > Good day, > =20 > =20 > We are trying to reorganize our local area network and I need some tip= s on how you are managing your own lan... > =20 > We have a vanilla pc router with interface facing our private lan and = interface facing the Internet. > =20 > One problem which we are experiencing right now is that any user from = private lan can use any ip address he wants. If he boots his computer wit= h a stolen ip address, the poor owner of that machine(not active at the m= oment) will give automatically up his ip address to this user. The same s= cenario for public ip addresses. Basically, we need to track down the use= rs through their ip address.. But this is trivial as of now since anyone = can use any ip he wants. Even if there is a solution out there to tie up = his mac address to his ip address..(sort of checking the mac first before= giving him an ip, possibly through dhcp..) still, users can just downloa= d applications which will enable him to change his mac address.... > =20 > Now, where thinking about authenticating users before he is allowed to= use a particular network service(internet proxy, mail etc.) because I gu= ess it is a clever way of keeping the bad users from doing something bad = within your network when after all, the reason why he is plugging his lan= card to the network is to use a particular service. However, it still do= esn't keep them from playing around and still other ip addresses or mac a= ddresses and thus denying network access to those legitimate owners. > =20 > Any idea how to handle this situations?? > Thanks... If it's a service provider scenario i would employ vlans. One vlan to=20 each customer. Providing network or Internet service costs more than=20 your typical small company network. Each customer should get his/her own = dedicated "line" so to speak. I would most likely employ /30 networks (or larger) to each customer as=20 this would be the most solid way to do it. This goes for public IP=20 addresses as well. You could bridge the vlans but this will give you=20 grief and if not done right will leave you back at square one. Some would say PPPoE, which is a fine solution. It comes with it's own=20 set of challenges. Many idiotic hobby "admins" out there block icmp all=20 together. Some even drop fragments. But Managed vlan switches are becoming quite affordable these days. Not only = would they help you track down a "sinner" within minutes (instead of=20 hours, if not days). They often come with more than adequate snmp=20 support so you can do real monitoring (even the low end ones). --=20 Sten Daniel S=F8rsdal --------------enig9E6FCDB69FE34BE84195AD98 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEI75wMvOF8Nb1apsRAr4eAJ9xU+CZ80yZ4XhWliThVYsnPcgLlgCeJtHT SicLDz8Odls0yDggmBi+RYI= =QMvZ -----END PGP SIGNATURE----- --------------enig9E6FCDB69FE34BE84195AD98--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4423BE70.2010807>