Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 24 Mar 2006 10:40:00 +0100
From:      =?ISO-8859-1?Q?Sten_Daniel_S=F8rsdal?= <lists@wm-access.no>
To:        Mark Jayson Alvarez <jay2xra@yahoo.com>
Cc:        freebsd-net@freebsd.org
Subject:   Re: How do you keep users from stealing other user's ip??
Message-ID:  <4423BE70.2010807@wm-access.no>
In-Reply-To: <20060324060140.86793.qmail@web51615.mail.yahoo.com>
References:  <20060324060140.86793.qmail@web51615.mail.yahoo.com>

next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig9E6FCDB69FE34BE84195AD98
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable

Mark Jayson Alvarez wrote:
> Good day,
> =20
> =20
>  We are trying to reorganize our local area network and I need some tip=
s on how you are managing your own lan...
> =20
>  We have a vanilla pc router with interface facing our private lan and =
interface facing the Internet.
> =20
>  One problem which we are experiencing right now is that any user from =
private lan can use any ip address he wants. If he boots his computer wit=
h a stolen ip address, the poor owner of that machine(not active at the m=
oment) will give automatically up his ip address to this user. The same s=
cenario for public ip addresses. Basically, we need to track down the use=
rs through their ip address.. But this is trivial as of now since anyone =
can use any ip he wants. Even if there is a solution out there to tie up =
his mac address to his ip address..(sort of checking the mac first before=
 giving him an ip, possibly through dhcp..) still, users can just downloa=
d applications which will enable him to change his mac address....
> =20
>  Now, where thinking about authenticating users before he is allowed to=
 use a particular network service(internet proxy, mail etc.) because I gu=
ess it is a clever way of keeping the bad users from doing something bad =
within your network when after all, the reason why he is plugging his lan=
card to the network is to use a particular service. However, it  still do=
esn't keep them from playing around and still other ip addresses or mac a=
ddresses and thus denying network access to those legitimate owners.
> =20
>  Any idea how to handle this situations??
>  Thanks...

If it's a service provider scenario i would employ vlans. One vlan to=20
each customer. Providing network or Internet service costs more than=20
your typical small company network. Each customer should get his/her own =

dedicated "line" so to speak.

I would most likely employ /30 networks (or larger) to each customer as=20
this would be the most solid way to do it. This goes for public IP=20
addresses as well. You could bridge the vlans but this will give you=20
grief and if not done right will leave you back at square one.

Some would say PPPoE, which is a fine solution. It comes with it's own=20
set of challenges. Many idiotic hobby "admins" out there block icmp all=20
together. Some even drop fragments. But

Managed vlan switches are becoming quite affordable these days. Not only =

would they help you track down a "sinner" within minutes (instead of=20
hours, if not days). They often come with more than adequate snmp=20
support so you can do real monitoring (even the low end ones).

--=20
Sten Daniel S=F8rsdal


--------------enig9E6FCDB69FE34BE84195AD98
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEI75wMvOF8Nb1apsRAr4eAJ9xU+CZ80yZ4XhWliThVYsnPcgLlgCeJtHT
SicLDz8Odls0yDggmBi+RYI=
=QMvZ
-----END PGP SIGNATURE-----

--------------enig9E6FCDB69FE34BE84195AD98--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4423BE70.2010807>