Discouraging Static IP Addresses

Printable View

Show 40 post(s) from this thread on one page

December 26th, 2003, 07:53 PM
rapier57

We have a similar situation to what Scimitar described. Controlling laptops or non-college-owned systems connecting to the network is a challenge at any time.

At the server level, IPSec and Certificates for Server-to-Server communication is required. IPSec is required in the rest of the network (clients, servers). We are considering adding certificate requirements for all clients, as well. Rogue machines can assume an unused IP, but cannot acces the network servers, services or resources. Authorized laptops get a registered IP, and cannot access the network servers, services or resources. The only thing they can do is access the internet.

We have a few other things. But that is the gist. So far, it is working as well as could be expected. Traffic is monitored and machines that have P2P, are zombied or demonstrate compromised behavior are immediately cut from the herd.
December 26th, 2003, 08:36 PM
nebulus200

Just wanted to mention, with the Cisco devices, there are two different levels of port security. Both of which would probably help you:

1) Based on MAC. You essentially assign a MAC to that port and only that MAC can use that port. This prevents anyone from just plugging in and going. It is the most secure but can be very labor intensive.

2) Based on MAC per port. This would allow only one MAC to occupy one port. This prevents a switch from being plugged into a port and then multiple machines using the port. It also stops attacks like ettercap and dsniff since only one MAC can be used by that port. Anything else spoofed would be ignored. It would also serve to isolate that port from other machines in the network, only allowing them to get to the default route...which would have interesting effects on someone trying to do a ping sweep :)

Anyway, don't have the articles to point to right now, but look into it, I think what you are needing is nothing more than some port security on your switches. You may not be able to cover everything (because of some of your legacy switches), but you should be able to at least start and then maybe hit up management for some upgrades.

/nebulus
December 28th, 2003, 10:44 PM
sn0rf

I've implemented such a solution for more than 2 years in a university. It's based on VPN (PPTP) channels, managed by a Win2000 NAS and authenticated by a RADIUS/SQL server. The whole system runs very stable and we don't care about laptops, MAC and IP spoofing etc. :)
This design is easy to implement, because of the supported VPN function in win9x/NT/2000/XP dial-up networking.
The only problem we've discovered was with the win9x clients and transparent proxy (this doesn't happen without the transparent proxy function). The IPSec win9x client/patch from Microsoft solves the problem (regardless of the only PPTP function in use).
Authentication is based on username/password pairs and the same database is responsible for user mailboxes auth as well.
There's also a web/php frontend for users to check their accounting records.
December 29th, 2003, 02:58 PM
Tiger Shark

If you simply want to remove unsused IP addresses to prevent their use you can do it with a Win2k/XP box sat on the network. It's a little extra overhead in terms of management but it ensures that there are no unusued IP's lying around.

Simply assign all "unused" IP's to the Win2k/XP box. Any machine using a ping sweep will find all IP's in use, (assuming the authorized PC's are switched on), and anyone trying to randomly pick an IP will have the interface closed down on them due to an IP conflict.

It's not very secure but it keeps the lame ones off the network you don't want them on.
December 30th, 2003, 06:01 AM
Scimitar

Apologies for not getting back to this thread earlier. The Saturday earthquake had knocked out some of the uplink lines. Thanks a lot for your responses everyone, am very grateful.

But regarding what TigerShark said... assigning all free IPs to a single machine - sounds something that would be rudimentary but at least effective till the admins can look into VPNs and the access list system. But is it possible to assign more than one IP on a machine having a single interface? Googling for it rite now myself.

Thanx

_Scim_
December 30th, 2003, 08:43 AM
Scimitar

Answering me own query earlier:

Assigning more than one IP address to a single interface such as eth0 on linux can be done as follows:

> ifconfig eth0:1 192.168.x.1 up
> ifconfig eth0:2 192.168.x.2 up

and so on...

However this configuration is erased whenever the machine boots up. Making this config permament across multiple boots shouldn't be too difficult - maybe include it as a startup script. Will have to ask the unix admin about that.

Again thanx folks, been a grand help.

_Scim_
December 30th, 2003, 12:15 PM
FyreMouse

Am I correct in assuming the assignment of the multiple IP's to a single nic is a very manual process. Since this appears to be heavy on the admin side is there a way to do this dynamically? Or simply to automate the process?

(thinking out loud) Then again, I suppose you don't want to automate it, a new user applies for an IP via whatever means email, form, ect and you assign him the IP and remove it from the Holding NIC's Range. The user then uses a Static IP that can be useful for tracking usage statistics and access control. Now the first indication of problems will be if there are reports of duplicated IP's on the network...what are some of the Security issues we might see in this? How can we further lock down this type of scenario?
December 30th, 2003, 11:20 PM
sn0rf

Folks, the smart way to circumvent such a problem is to implement strong authentication by means of VPN. It's really secure and productive mechanism. ;)
December 31st, 2003, 04:31 AM
s0nIc

but a new subnet would be cheaper, a vpn can cost coz u will need aditional softwares, and protocols. and other legal crap that goes along with it.
January 3rd, 2004, 03:47 AM
chsh

Quote:

Originally posted here by FyreMouse
[B]Am I correct in assuming the assignment of the multiple IP's to a single nic is a very manual process. Since this appears to be heavy on the admin side is there a way to do this dynamically? Or simply to automate the process?

Scripting is something EVERY sys/netadmin should be familiar with IMO.

Code:

#!/usr/bin/perl my($i, $num_addr, $base_addr); // set the number of addresses we need to take up $num_addr = 150; // set the base address to start assigning to the virtual interfaces. $base_addr = 50; for ($i=1; $i<=$num_addr; $i++) { exec("/sbin/ifconfig eth0:".$i." 192.168.0.".($i + $base_addr)." up"); }

Show 40 post(s) from this thread on one page