On Sun, Oct 07, 2001 at 02:45:38PM +0200, Miquel van Smoorenburg wrote: | According to Alvin Oga: | > hi ya miquel | > | > > > if you are worried about security.... | > > > - disable dhcp and use all ip# defined by the "mask" | > > | > > That doesn't make much sense. | > | > if one has a class-C ip# ..and only using 20 ip# out of the range.. | > it is easy for someone to plug in an unauthorise machine into | > your network... and sniff anything they like.. | | You don't need an IP number to sniff the network. If someone can | plugin to your network you're compromised anyway.
True -- a passive ethernet frame sniffer can be plugged in. | > - laptops being plugged in w/ security audit is a prime example | > of someone plugging stuff in w/o telling anybody | > | > - the laptops could have been hacked while on the home lan | > and now gets to transfer itself to the secure office lna | > | > - so to prevent that... i disable dhcp ... and use the proper | > broadcast and netmasks needed to eliminated un-used ip# that | > could be used by floating laptops | | If you use 20 out of 32 IP addresses, the attacker can still guess | an IP number by listening for ARP requests and guessing which | range you use. It's simple. Even if you use the whole range there's | always one PC or laptop turned off so that it's IP address is free. Yeah, it can be fun to steal IPs sometimes. For example I don't have DHCP set up at home. When I brought a laptop from work (it had win2k, but that is irrelevant) home I had to give it a static IP. When I took it back to the office I had to reset it to use a dynamic IP. This is a pain so I simply picked an IP that wasn't being used at work and used it statically. This worked great because both networks were in 192.168.0.0/24 and had 192.168.0.1 as the gateway. | Even if you use a switch and put MAC address filters on the | switch an attacker can simply unplug an existing PC / laptop | and take over its MAC address. No, the MAC adress is in the ethernet card, not the outlet in the wall. I even have actual experience with this. I have taken a laptop to school. In the 2 labs I spend most of my time in there are no spare ethernet jacks. I simply unplug one of the 'doze2k boxen and plug my woody laptop in. Still, even though I brought up the interface using DHCP and got an IP I could only reach the classs C I was on, the DNS server, and a certain web site. After talking with the admin of the labs I learned that ISC only routes host's whose MAC address is in their database and associated with a username. The web site I could access is the internal site used to register the MAC with the username. Now that I have registered the MAC I get routed properly. -D
