Protect Static IP Addresses
Hey all, some user showed me something I hadn't yet considered. I have all of my servers on static ip addresses with dhcp enabled on one for xp clients.
Various servers between 192.168.0.1 - 20
DHCP enabled for users between 192.168.0.200 - 250
Anyway, some business partner, from another business and network, walked in off the street. I got him on the network and before I knew it everything stopped working.
Some d-bag configured him with a static ip address - the same one as my dhcp/dns server. I need to insure this never happens again.
My question is: how would you protect a range of IP Adds on linux?
I would prefer that, even if a windows xp/vista user attempt to connect to this network, they receive the message telling them that the ip add is already in use - not me when I try to restart the network service on the server.
Any help is appreciated.
You can't really, not in any completely satisfactory way. If a machine connects to your network with a static IP you are already using, there is nothing you can do to stop them. You can have the server hammer ARP to always maintain it's association with the IP, but that is going to flood the network with constant chatter.
A better option would be to set static ARP entries in all of your clients, but then this has it's own problems. Namely, if your client machines are mobile or dynamic, which is to say that you allow machines to simply be added or removed from the network at the user's will (which seems the case here, since this person brought in his own machine). It could also be a hassle later on when the server hardware is changed, your successor might have quite a time trying to figure out why none of the machines are talking to the new server. It should also be noted that this won't necessarily stop somebody from intentionally trying to confuse the client machines, as an attacker could simply spoof the MAC that is statically listed in the client's ARP tables.
Advanced switches can do static ARP tables, which would be a little easier to manage than having to set it in all the client machines. You would need to check what your network hardware is capable of.
Best option would be to move from 192.168.0.0/24, 192.168.1.0/24, etc subnets, and use something like 192.168.199.0/24. I do not understand why EVERYBODY have to use 1192.168.0.0/24 and 192.168.1.0/24 subnets when 95% of worlds WAN, ADSL and wireless routers and AP's use them. That is like standing in the middle of the fastest lane on a crowded motorway hoping you will not be hit by speeding cars.
Also, it is good practice to set your DHCP server, gateway and such to IP's other the .1 Why not use .100 or .200 for such devices/routers? Once set, you will forget all about then unless you need to test your network.
Yet another advice is to establish a separate logical (another subnet) or physical network that will serve as easy access for business partners, with much higher level of security.
Interesting, but how...
I know that vpn's can link different logical networks but that seems like over kill. If you're talking about something different, then please throw some key words at me. I'll do the legwork, test, and post the results.
|All times are GMT -5. The time now is 11:25 PM.|