Re: ip theft!!

["Americo F. Muchanga" <americo at it.kth.se>]

Bill,

I guess that the problem is not setting up a DHCP, because a malicious users
do not need to have the address assigned to his card. He could set it manually,
what I mean't was that the official DHCP will have the trusted pair (MAC/IP)
and only a user with this trusted pair can open a route in the IPlogin auth
machine. However if some malicious user is good enough to fake a MAC address,
and this can be done with some not BIG effort, then he could listed to the
air/wire interface, steal a valid MAC/IP address, recompile his code, and
then attempt to pass though the IPlogin machine. This would mean off course
that he has enough knowledge to authenticate himself in the IPlogin machine.

a./


Bill Sangiwa wrote:
> Pine.LNX.4.33.0202081356230.22173-100000 at twiga.twiga.com">
> a./
>
> u're correct (u can't control what user does with his/her machine), BUT
> this is another options if your wireless bridge do not support blocking
> ip's, if it does (some do!) then you may as well use it, use of DHCP in
> some cases users go ahead and have their own DHCP running on their LAN (no
> crime done!), if they can listen to your's (DHCP), surely will be able
> pass their DHCP broadcasts to other users too! i've seen several
> installation of M$2000 with DHCP enabled and users have no idea at all it
> is on!!
>
> Bill
>
> On Fri, 8 Feb 2002, Americo F. Muchanga wrote:
>
> > You can't prevent a user from assigning an IP to his local station. The 
> > operating system has no way to find out that now you are going to use a 
> > valid and/or a not-valid address. You can however prevent that user from 
> > accessing the network. Typically u can do this first by placing a DHCP 
> > in the network that will assign IPs based on the MAC addresses and place 
> > a gateway based on IPlogin for instance to only open a route for those 
> > users who had been authenticated.  You should force all your users to 
> > authenticate before they can get access to Internet at large.
> >
> > rgds, a./
> >
> >
> >
> > Antonio Godinho wrote:
> >
> > > I use Breezecom wireless equipment and the client radio can be 
> > > configured to let through only some IP´s and can also limit 
> > > bandwidth in steps of 32K. I don´t know if other equipment lets you 
> > > do that.
> > >
> > > Cheers,
> > >
> > >
> > >
> > > > my knowledge on wireless sez that, if you have for-isp wireless gear u
> > > > should be able to restrict (or call it block) certain range of ip,
> > > > that wil be allowed in/out of the device, which will do pretty much
> > > > what you want. if by accident you have choosed a product which does
> > > > have that feature then you have what they call corporate wireless lan
> > > > devices.. not sure much can be done on switches mine (hp pro-curve)
> > > > does not
> > > >
> > > > Bill
> > > >
> > > > On Thu, 7 Feb 2002 ksemat at wawa.eahd.or.ug wrote:
> > > >
> > > > > Can someone give me an idea on how to stop a user from simply
> > > > > assigning himself another user's ip address on a LAN or a wireless
> > > > > network? We had a problem with a client who simply decided to assign
> > > > > himself an extra ip because he thought he needed one unfortunately
> > > > > this belonged to another client!!!
> > > > >
> > > > > Is there a way to prevent this? arpwatch only seems to tell me which
> > > > > mac address has changed etc I cannot locate clients by Mac address
> > > > > obviously and yet I need to restrict this.
> > > > >
> > > > >           
> > > >           
> > >           
> >           
>
>
>