Discouraging Static IP Addresses

[Scimitar]

Newbie Question time:

In my college, we run a DHCP server which maps users MAC addresses to IPs - in other words, the whole setup keeps allocated IPs static - the machine always gets the same IP, and the network admin gets to keep a record of used/unused IPs. In the student labs, of course, the machine privileges don't allow folks to mess with the network config, but faculty machines, machines in graduate/research labs are administered by their owners. How would one prevent any of them from just running a ping sweep over the network, finding out which ip is down, and allocating it to themselves? It happens a lot actually, and can be a pain when the admin would want to track a machine and its not in the DNS/DHCP. And more importantly, can be a major security issue in labs without port security on the switches; anyone can attach up their machine, allot themselves an IP address, and mess around on ther network.

Thanx for any info folks,

_Scim_

[slarty]

Perhaps you can get really clever and hook your router's ACL into the DHCP server's list of allocated IPs, then people with "unofficial" IPs won't be able to route packets to the internet, which should discourage them from using them.

Then make the DHCP server only hand out IPs to registered MAC addresses, and rogue machines should not be able to connect.

The trick might be to get the DHCP server to run a script when an address is allocated or released, to send a message to the router to add / remove it from its ACL to allow net access?

Could work

Slarty

[s0nIc]

well it can also depend on what OS ur servers are runnin. Win2K Adv. Server (i havent used Win3K server yet) can keep a list of authorized MAC Address with matching machine names. and only those in the LIST can get in contact with the DHCP Server or the Network. outsiders wont get anything from the DHCP, its also good to limmit the range of IPs and make exclusions of what the DHCP server can give out. so outside "jacking" can be avoided. and i know some (coz i havent tried all) CISCO Routers can store MAC Addresses too and u can keep them exclusive so the ones on the list cannot join in the network UNLESS they have admin rights.

[slarty]

Originally posted here by s0nIc
well it can also depend on what OS ur servers are runnin. Win2K Adv. Server (i havent used Win3K server yet) can keep a list of authorized MAC Address

Not really.

Any DHCP server worth its salt can do that. The one on NT4 certainly could, and Unix ones I've used can too. The main problem is the admin overhead of maintaining that MAC address list.

In any case, merely handing out DHCP addresses to authorised addresses won't stop rogues because they don't need to use a DHCP address, they can just find an unused IP and assume that (as the OP stated).

So in fact that approach won't help on its own.

Slarty

[Scimitar]

Hi Sonic - I think you misunderstood me a bit. The present DHCP setup we have is exactly what u suggested. The server has a record of all legal MAC addresses and corresponding IPs, and any outsider just plugging in and requesting an IP can't achieve anything. The point is that folks just ping sweep a small range on the network, and grab any free IP on the network, instead of submitting their MAC address to the admin for a proper entry into the DHCP/DNS and subsequent ip allocation. [It just takes 3 minutes or so to enter that data, so its definitly not a bottleneck].

Hey Slarty, That suggestion was.. NICE! LIke the sound of that, sounds pretty nifty, BUT, given that I don't know anything about ACLs... wouldn't the router having to check up the source/destination of every IP address that passes through against a possibly huge IP list in its ACL really slow things down?

A friend suggested something else: Using a network management tool like HP OpenView/TNS etc to receive traps from switches whenever a new machine is connected up or the host IP at a switch's port changes. The monitoring station could check up with the DHCP if the IP address/MAC is legitimate or not. If not, either alert the admin, OR, get the switch to disable the said port.

Will look into Slarty's idea and the above. Not really sure if all the switches (if any) in the college can send traps like the above. I'd like to know what other major enterprises use:
a) Nobody can have admin rites to their machines?
b) Catch culprits through Routers ACLs?
c) Network Management issue?

Thanx for your input, Slarty, Sonic.

_Scim_

[slarty]

Originally posted here by Scimitar
[B]Hey Slarty, That suggestion was.. NICE! LIke the sound of that, sounds pretty nifty, BUT, given that I don't know anything about ACLs... wouldn't the router having to check up the source/destination of every IP address that passes through against a possibly huge IP list in its ACL really slow things down?

Depends how many there are, and how good the router is. To some extent, yes, but routers are designed to be able to cope with significant ACL sizes.

I guess if you have less than 1k boxes, you should be ok. If you're using more than 1k boxes on the same ethernet segment, you may need to break your network up more, as the broadcast traffic may get excessive. There won't be more rules in the ACL than there are (legit) boxes.

A friend suggested something else: Using a network management tool like HP OpenView/TNS etc to receive traps from switches whenever a new machine is connected up or the host IP at a switch's port changes. The monitoring station could check up with the DHCP if the IP address/MAC is legitimate or not. If not, either alert the admin, OR, get the switch to disable the said port.

That sounds like a very good idea. Unfortunately I spotted a bad scenario:
Disabling a port could DoS legit boxes that happen to share a port with an illegitimate box.

In any case, why could you not just enable security on your switches and only allow registered MAC addresses?

Slarty

[Scimitar]

The number of nodes doesn't exceed a thousand and the routers a Layer 3 Cisco Cat 3550 switch, [which I believe is a pretty good workhorse], so I definitly gonna look more into this ACL scenario. Regarding using a network mngmnt tool, I checked up on what you said bout DoSing out legit boxes. But given that we don't have any shared hubs, only switches, down to the point where the nodes cable into the patch panel, that shouldn't be a problem. In other words, there won't be more than 2 nodes sharing the same switch port. But, that ACL thing seems rather more nifty and more fun to do.

Regarding the port security issue, not all switches in the college [Read OLD equipment] support that. As such, I'm not too sure if the management agents on those switches are capable of sending traps whenever there is any illegit activity on a port. BUT, even if we had port security, whereby the switch maps port to MAC address, it still wouldn't address the issue of IP management: Folks would still be grabbing off any free IP off the network instead of being decent and submitting their MAC to the admin.

Thanx again Slarty,

_Scim_

[cgkanchi]

Couldn't people just spoof a MAC address too? I've personally spoofed IP/Mac addresses together. Run a ping/MAC sweep (it'll tell you the MACs of all connected machines) and save the list. Next time that machine isn't on, spoof the MAC and the IP. What I'm trying to say is, that anyone who ping sweeps has a reason to do it. And spoofing MAC addresses isn't that much harder than ping sweeping.
Cheers,
cgkanchi

[ammo]

I have to agree with cgkanchi here...
It should be reasonably easy for someone to build a database of MAC/IP pairs (using nbtstat -A <IP>, or by sniffing, or with someother tool (public SNMP?), or by visiting open computers (labs...). Thus circumventing the whole mechanism... (although there might be routing issues, but still...).

I don't think there's a hackproof way of doing this besides using a machin level authentication...


Ammo

[Scimitar]

Okay, given that this topic is shifting from network management (IP mngmnt) to security [no surprises there given the nature of the site ], I think cgkanchi and ammo did really open a can of worms. If someone is able to spoof a MAC address and grab the associated IP (DoS the legit box?), port security or the ACL-DHCP combination mentioned by slarty would basically be bypassed. Nice lil thing to try though.

So, what other way would there be to secure a LAN? Ammo, what'd you mean by 'machine level authentication'? And how would that be done?

Thanx guys,
_Scim_