Discussion:
How do you keep users from stealing other user's ip??
(too old to reply)
Mark Jayson Alvarez
2006-03-24 06:25:40 UTC
Permalink
Good day,


We are trying to reorganize our local area network and I need some tips on how you are managing your own lan...

We have a vanilla pc router with interface facing our private lan and interface facing the Internet.

One problem which we are experiencing right now is that any user from private lan can use any ip address he wants. If he boots his computer with a stolen ip address, the poor owner of that machine(not active at the moment) will give automatically up his ip address to this user. The same scenario for public ip addresses. Basically, we need to track down the users through their ip address.. But this is trivial as of now since anyone can use any ip he wants. Even if there is a solution out there to tie up his mac address to his ip address..(sort of checking the mac first before giving him an ip, possibly through dhcp..) still, users can just download applications which will enable him to change his mac address....

Now, where thinking about authenticating users before he is allowed to use a particular network service(internet proxy, mail etc.) because I guess it is a clever way of keeping the bad users from doing something bad within your network when after all, the reason why he is plugging his lancard to the network is to use a particular service. However, it still doesn't keep them from playing around and steal other ip addresses or mac addresses and thus denying network access to those legitimate owners. I'm thinking about tying dhcp with authentication, and freeradius comes to mind.. I just need some more tips from you. User's workstations are mixed Windows and *nixes. Some have laptops with wireless interfaces.

Any idea how to handle this situations??
Thanks...



---------------------------------
New Yahoo! Messenger with Voice. Call regular phones from your PC and save big.
Chad Leigh -- Shire.Net LLC
2006-03-24 06:52:55 UTC
Permalink
Post by Mark Jayson Alvarez
Good day,
We are trying to reorganize our local area network and I need
some tips on how you are managing your own lan...
We have a vanilla pc router with interface facing our private lan
and interface facing the Internet.
One problem which we are experiencing right now is that any user
from private lan can use any ip address he wants. If he boots his
computer with a stolen ip address, the poor owner of that machine
(not active at the moment) will give automatically up his ip
address to this user. The same scenario for public ip addresses.
Basically, we need to track down the users through their ip
address.. But this is trivial as of now since anyone can use any ip
he wants. Even if there is a solution out there to tie up his mac
address to his ip address..(sort of checking the mac first before
giving him an ip, possibly through dhcp..) still, users can just
download applications which will enable him to change his mac
address....
Now, where thinking about authenticating users before he is
allowed to use a particular network service(internet proxy, mail
etc.) because I guess it is a clever way of keeping the bad users
from doing something bad within your network when after all, the
reason why he is plugging his lancard to the network is to use a
particular service. However, it still doesn't keep them from
playing around and steal other ip addresses or mac addresses and
thus denying network access to those legitimate owners. I'm
thinking about tying dhcp with authentication, and freeradius comes
to mind.. I just need some more tips from you. User's workstations
are mixed Windows and *nixes. Some have laptops with wireless
interfaces.
Any idea how to handle this situations??
Why do you have bad users? (I assume this is some sort of company?)
Set a policy and punish those that screw around. Most companies I
have seen do not give admin privileges to the users so the user
cannot change his IP or MAC address and if you force them to use DHCP
you can also tie the MAC to the IP.

This is not a technical problem per se but an administrative policy
problem.

Chad

---
Chad Leigh -- Shire.Net LLC
Your Web App and Email hosting provider
chad at shire.net
Erik Nørgaard
2006-03-24 07:39:42 UTC
Permalink
Post by Mark Jayson Alvarez
Good day,
We are trying to reorganize our local area network and I need some tips on how you are managing your own lan...
We have a vanilla pc router with interface facing our private lan and interface facing the Internet.
One problem which we are experiencing right now is that any user from private lan can use any ip address he wants. If he boots his computer with a stolen ip address, the poor owner of that machine(not active at the moment) will give automatically up his ip address to this user. The same scenario for public ip addresses. Basically, we need to track down the users through their ip address.. But this is trivial as of now since anyone can use any ip he wants. Even if there is a solution out there to tie up his mac address to his ip address..(sort of checking the mac first before giving him an ip, possibly through dhcp..) still, users can just download applications which will enable him to change his mac address....
Now, where thinking about authenticating users before he is allowed to use a particular network service(internet proxy, mail etc.) because I guess it is a clever way of keeping the bad users from doing something bad within your network when after all, the reason why he is plugging his lancard to the network is to use a particular service. However, it still doesn't keep them from playing around and steal other ip addresses or mac addresses and thus denying network access to those legitimate owners. I'm thinking about tying dhcp with authentication, and freeradius comes to mind.. I just need some more tips from you. User's workstations are mixed Windows and *nixes. Some have laptops with wireless interfaces.
Any idea how to handle this situations??
I once set up such a solution in a student house with about 120 users.
People had their own private pcs so we couldn't just take away their
admin rights on their own pc.

Now, question to ask:

- Are all users legitimate users? Do users have friends coming in and
connect to the network? is it wired or do you have neighbors trying to
use the net also?

- What is the benefit of stealing another users ip? Do you have
limitations on access such as download? Is it to hide behind another user?

In our case we had a wired network, so all users was legitimate users,
but we had a limitation on download so some users would try to use their
neighbors ip to get more quota.

What we did was:

1) Static ip assigned with dhcp - people wouldn't need to learn to
configure their computer.

2) Static arp table on router, to spoof, one would have to spoof
mac-address.

3) Require registration of all hosts owned by the user: To hold users
accountable for their hosts.

4) Count traffic per host, up and download, this was done with ipfilter.

5) Make current usage visible, the users could always check their quota
and knew when they hit the limit. That way they didn't get surprises and
annoyed.

This actually worked fine. It was sufficiently complicated to spoof that
people wouldn't bother.

A different and possibly better way around this would be to limit
bandwidth for ports higher than 1023, this is where most file sharing
takes place. You can do that with packet filter, I still haven't figured
how to effectively implement traffic quotas on packet filter as
accounting is not so easy.

If your concerns are people trying to hide behind others identity, or
unauthorized access such as if you have a wireless lan, then there are
two good options:

1) Use authpf with packet filter. This requires the user to authenticate
with the firewall to get access. No proxy needed.

2) Let each client establish a VPN to the router, this have the
advantage of also encrypting traffic if you have a wireless or
non-switched network.

Cheers, Erik
--
Ph: +34.666334818 web: www.locolomo.org
S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt
Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72
Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9
Mark Jayson Alvarez
2006-03-24 08:07:57 UTC
Permalink
Hi,

Ok here's our problems. Mostly pertaining to tracking down who is this user eating up our bandwidth or who is this user flooding our network.

1. Users when they want to plug a machine to the network... let's say their own testbeds, they will choose whatever ip they want possibly stealing used ip's.

2. Users workstations are mixed Windows and *nixes. Most windows machines are getting infected with worm from time to time... Some of them are not so skillful enough to clean their own workstations. Given an unmanaged ip allocation, it would also be hard to trace which machines are causing the network congestion.

3. Some users with public workstations and testbeds are eating up bandwidth through file sharing...Still hard to trace this without proper ip allocation management.






Erik Nørgaard <***@locolomo.org> wrote:
I once set up such a solution in a student house with about 120 users.
People had their own private pcs so we couldn't just take away their
admin rights on their own pc.

Now, question to ask:

- Are all users legitimate users? Do users have friends coming in and
connect to the network? is it wired or do you have neighbors trying to
use the net also?

- What is the benefit of stealing another users ip? Do you have
limitations on access such as download? Is it to hide behind another user?

In our case we had a wired network, so all users was legitimate users,
but we had a limitation on download so some users would try to use their
neighbors ip to get more quota.

What we did was:

1) Static ip assigned with dhcp - people wouldn't need to learn to
configure their computer.

2) Static arp table on router, to spoof, one would have to spoof
mac-address.

3) Require registration of all hosts owned by the user: To hold users
accountable for their hosts.

4) Count traffic per host, up and download, this was done with ipfilter.

5) Make current usage visible, the users could always check their quota
and knew when they hit the limit. That way they didn't get surprises and
annoyed.

This actually worked fine. It was sufficiently complicated to spoof that
people wouldn't bother.

A different and possibly better way around this would be to limit
bandwidth for ports higher than 1023, this is where most file sharing
takes place. You can do that with packet filter, I still haven't figured
how to effectively implement traffic quotas on packet filter as
accounting is not so easy.

If your concerns are people trying to hide behind others identity, or
unauthorized access such as if you have a wireless lan, then there are
two good options:

1) Use authpf with packet filter. This requires the user to authenticate
with the firewall to get access. No proxy needed.

2) Let each client establish a VPN to the router, this have the
advantage of also encrypting traffic if you have a wireless or
non-switched network.

Cheers, Erik
--
Ph: +34.666334818 web: www.locolomo.org
S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt
Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72
Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9



---------------------------------
New Yahoo! Messenger with Voice. Call regular phones from your PC and save big.
Olivier Nicole
2006-03-24 08:17:04 UTC
Permalink
Post by Mark Jayson Alvarez
1. Users when they want to plug a machine to the network... let's
1. say their own testbeds, they will choose whatever ip they want
1. possibly stealing used ip's.
Use DHCP, then users do not have to choose an IP, it is given to them.
Plus it gives them all parameterstheyneed to configure their machineto
acces the network (like netmask, gateway, DNS...)

DHCP keeps logs of what IP wasassigne to what machine (for Windows you
have the windows name of the machine) so you can track what is what
down.

If you are dealing with users that have little knowledge and not with
hackers (and it seems to be your case) DHCPo will solve 90% of your
problems.

Olivier
Erik Norgaard
2006-03-24 08:32:43 UTC
Permalink
Post by Mark Jayson Alvarez
Hi,
Ok here's our problems. Mostly pertaining to tracking down who is this
user eating up our bandwidth or who is this user flooding our network.
1. Users when they want to plug a machine to the network... let's say
their own testbeds, they will choose whatever ip they want possibly
stealing used ip's.
2. Users workstations are mixed Windows and *nixes. Most windows
machines are getting infected with worm from time to time... Some of
them are not so skillful enough to clean their own workstations. Given
an unmanaged ip allocation, it would also be hard to trace which
machines are causing the network congestion.
3. Some users with public workstations and testbeds are eating up
bandwidth through file sharing...Still hard to trace this without proper
ip allocation management.
If the problem is that users choose occupied ips by accident rather than
by bad will, then use dhcp. Windows users and novices will thank you for
not having to deal with the configuration and you can say "just plug it
in and it works".

If you want to make people aware of what it means to be on the network,
register their hosts with mac address and have them sign a paper with
your AUP. Track changes with arpwatch.

Assign a segment of your address space to testbeds, tell people who want
to experiment that they choose an ip in that segment. That segment
should be blocked or only have access to limited services such as dns,
ftp and http.

Block all access to port 25 on internet to make sure that mail is sent
through your mailserver. Require authentication for smtp. This means
that at least you won't spread the viruses that infect the windows clients.

Cheers, Erik
--
Ph: +34.666334818 web: www.locolomo.org
S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt
Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72
Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9
Ted Mittelstaedt
2006-03-26 10:05:54 UTC
Permalink
Hi Mark,

The only way you can really lock it down is to statically assign
everything (either with a DHCP server that has a table of mac addresses)
and maintain an accurate list of mac addresses, and use managed switches
that have filtering capabilities.

We do this on bridged DSL networks (except for the managed switch part)
and it's actually a lot easier to manage that most people think.

What you have to do is when a new person hooks into the network,
you give them a test IP address, you ping that, get their MAC for that,
then hard code that into your DHCP server and tell them to switch
over to DHCP to get their permanent address. Once they do that, hard-
code the IP address and mac in the router ARP table, and install a
filter on the switch port going to them that ignores any traffic
that originates from a different MAC than the one that you probed
from them.

Ted
-----Original Message-----
Alvarez
Sent: Thursday, March 23, 2006 10:26 PM
Subject: How do you keep users from stealing other user's ip??
Good day,
We are trying to reorganize our local area network and I need
some tips on how you are managing your own lan...
We have a vanilla pc router with interface facing our private
lan and interface facing the Internet.
One problem which we are experiencing right now is that any
user from private lan can use any ip address he wants. If he
boots his computer with a stolen ip address, the poor owner of
that machine(not active at the moment) will give automatically
up his ip address to this user. The same scenario for public ip
addresses. Basically, we need to track down the users through
their ip address.. But this is trivial as of now since anyone
can use any ip he wants. Even if there is a solution out there
to tie up his mac address to his ip address..(sort of checking
the mac first before giving him an ip, possibly through dhcp..)
still, users can just download applications which will enable
him to change his mac address....
Now, where thinking about authenticating users before he is
allowed to use a particular network service(internet proxy,
mail etc.) because I guess it is a clever way of keeping the
bad users from doing something bad within your network when
after all, the reason why he is plugging his lancard to the
network is to use a particular service. However, it still
doesn't keep them from playing around and steal other ip
addresses or mac addresses and thus denying network access to
those legitimate owners. I'm thinking about tying dhcp with
authentication, and freeradius comes to mind.. I just need some
more tips from you. User's workstations are mixed Windows and
*nixes. Some have laptops with wireless interfaces.
Any idea how to handle this situations??
Thanks...
---------------------------------
New Yahoo! Messenger with Voice. Call regular phones from your
PC and save big.
_______________________________________________
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.385 / Virus Database: 268.3.1/292 - Release Date: 3/24/2006
Jonathan Horne
2006-03-26 14:37:00 UTC
Permalink
You make it sound like they are doing it on purpose. Could it be the lease
duration is so short that the ips are going back into the pool before they
are truly abandoned by the original user? If you look at the behavior of
the MS DHCP server, the lease duration is 8 days (with standard 4 day
renewal). If it takes 8 days for it to back into the pool, this should be
more than enough time for a user to go home for the weekend, and hopefully
get the same ip when they get back to work. I would suggest increasing the
lease duration time and see if that stops users from stepping on each others
dhcp leases (don't forget, in the typical dhcp-request conversation, the
client asks "hey, I had x.x.x.x last, is it still available for me?" you
want the server to be able to say "sure"). On my freebsd router, the DHCP
server came with a 1 hour lease duration (which causes a 30 minute renewal..
IMO this is too fast).

Second, you mentioned that users could just download software that would
allow them to change their mac address. It sounds like some users have too
high a rights assignment, if they are causing mischief like that.

Cheers,
jonathan

-----Original Message-----
From: owner-freebsd-***@freebsd.org
[mailto:owner-freebsd-***@freebsd.org] On Behalf Of Ted Mittelstaedt
Sent: Sunday, March 26, 2006 4:06 AM
To: Mark Jayson Alvarez; ***@freebsd.org
Subject: RE: How do you keep users from stealing other user's ip??

Hi Mark,

The only way you can really lock it down is to statically assign
everything (either with a DHCP server that has a table of mac addresses)
and maintain an accurate list of mac addresses, and use managed switches
that have filtering capabilities.

We do this on bridged DSL networks (except for the managed switch part)
and it's actually a lot easier to manage that most people think.

What you have to do is when a new person hooks into the network,
you give them a test IP address, you ping that, get their MAC for that,
then hard code that into your DHCP server and tell them to switch
over to DHCP to get their permanent address. Once they do that, hard-
code the IP address and mac in the router ARP table, and install a
filter on the switch port going to them that ignores any traffic
that originates from a different MAC than the one that you probed
from them.

Ted
-----Original Message-----
Alvarez
Sent: Thursday, March 23, 2006 10:26 PM
Subject: How do you keep users from stealing other user's ip??
Good day,
We are trying to reorganize our local area network and I need
some tips on how you are managing your own lan...
We have a vanilla pc router with interface facing our private
lan and interface facing the Internet.
One problem which we are experiencing right now is that any
user from private lan can use any ip address he wants. If he
boots his computer with a stolen ip address, the poor owner of
that machine(not active at the moment) will give automatically
up his ip address to this user. The same scenario for public ip
addresses. Basically, we need to track down the users through
their ip address.. But this is trivial as of now since anyone
can use any ip he wants. Even if there is a solution out there
to tie up his mac address to his ip address..(sort of checking
the mac first before giving him an ip, possibly through dhcp..)
still, users can just download applications which will enable
him to change his mac address....
Now, where thinking about authenticating users before he is
allowed to use a particular network service(internet proxy,
mail etc.) because I guess it is a clever way of keeping the
bad users from doing something bad within your network when
after all, the reason why he is plugging his lancard to the
network is to use a particular service. However, it still
doesn't keep them from playing around and steal other ip
addresses or mac addresses and thus denying network access to
those legitimate owners. I'm thinking about tying dhcp with
authentication, and freeradius comes to mind.. I just need some
more tips from you. User's workstations are mixed Windows and
*nixes. Some have laptops with wireless interfaces.
Any idea how to handle this situations??
Thanks...
---------------------------------
New Yahoo! Messenger with Voice. Call regular phones from your
PC and save big.
_______________________________________________
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.385 / Virus Database: 268.3.1/292 - Release Date: 3/24/2006
_______________________________________________
freebsd-***@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-***@freebsd.org"
Continue reading on narkive:
Loading...