Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 909
  • Last Modified:

restrict unauthorized users

Dear all
I have a DHCP server in my LAN and I want to restrict unauthorized users or PC’s from obtaining IP address from my DHCP.
I mean that I don’t want any PC’s out side of my domain to obtain IP address from my DHCP server.
0
Alkannetworks
Asked:
Alkannetworks
  • 8
  • 6
  • 4
  • +3
5 Solutions
 
giltjrCommented:
There are two ways.  One is to implment NAC, check out Cisco for information on their solution and I am sure that other switch/router vendors may have simular solutions.

Second is to setup n+1 scopes in your DHCP server.  Then, have fun, assign each computer a IP address based on it MAC address.  For those PC's that do not have a MAC address in the DHCP server, they get assigned and IP address in the "+1" subnet.  Using this, each time there is a new computer, or a current computer gets a new NIC, you have to update the DHCP tables.
0
 
zgrpCommented:
Hello,

The question is a little complex. In short my tip goes to create ACL (Access Control List) base in MAC (Media Access Control) to each computer.

The problem, is that it's unpratical if you have a large network and new machines are constantilly pluged into network.

If not, a option to make the job faster and easy, is discover all MAC in your network, for this you can use the THC-RUT (http://www.thc.org/thc-rut/) that can be used to discover machines in network via ICMP, ARP requests, etc.

See a screenshoot: http://www.thc.org/thc-rut/grfx/thcrut-arp.gif

So based in this MAC(s), all you have to do is create your ACL(s) in DHCP server. ;)

Another option if you want to restrict access to your LAN, is use 802.1x (if your switch support it), that ONLY allow machines to ingress in network, if the authenticate in it. ;)

http://en.wikipedia.org/wiki/802.1x

Hope this help,

Cheers
0
 
ahoffmannCommented:
MAC is not an option 'cause anyone (at least me:) can change the MAC to whatever is needed.
So, as someone trying to get a valid IP, I'd simply sniff the traffic and catch a MAC and use it also. That would break some communications and have other problems, but it works partially, and when the original owner of the MAC disconnects, you have a full working connection.

The only solution is that each valid client has a unique secret to offer when requesting an IP. A MAC is not unique.
Not sure if 802.1x offers such a mechanism.
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
Rich RumbleSecurity SamuraiCommented:
Yes, 802.1x does have such a mechanism, it's half-based on it. Changing a MAC to match a device that is allowed also doesn't guarntee you'll get connected, thank goodness. I've explained this here as well:
http://www.experts-exchange.com/Security/Win_Security/Q_21779117.html
802.1x is your best bet, nothing is fool proof. Again 802.1x uses more than JUST the mac address. The wiki article above is a good starting place to read up on it, however cisco's paper is a bit more in depth:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/1219ea1/scg/sw8021x.htm#xtocid1  http://www.microsoft.com/technet/community/columns/cableguy/cg1202.mspx

Again, nothing is perfect, and this is also a good read http://www.microsoft.com/technet/community/columns/secmgmt/sm0805.mspx
The section in the above link entitled "Why 802.1X on wired networks is insufficient" is correct for the most part, still it will keep everyone (except ahoffann) off your lan ;)
-rich
0
 
ahoffmannCommented:
it will keep me off too if there is a secret, 'cause I'm to lazy for brute force :-))
0
 
zgrpCommented:
Hello,

Good replys, however is intersting note that this kind of attack to obtain valid MAC, will need to use poison techniques or similar methos, that WILL generate anomalys in the network and can be detected. ;)

But if the company doesn't have a policy to store, sign and analyze logs, so probabilitty neither the most robust securtiy solution will be enought (hehehe). :D

A tip to mitigate some attacks related to some network layers (IP and below), is use together with MAC ACL, 802.1x, ...., use IPsec (Internet Protocol Security), which encrypt and/or authenticate packets.

http://en.wikipedia.org/wiki/IPSec

However, it will generate some overhead in your network, in special based in what kind of mode you use IPsec (ESP or HA).

In general, all security mechanisms affect performance... :(

Hope this help,

Cheers
0
 
zgrpCommented:
Ah, forgot, you yet can implement OTP (One Time Password) with 802.1x or two factor authentications, to enhance security and mitigate many brute force class of attacks at passwords. ;)

But it's much paranoic depending on the security your organization need. You should know, that nobody spend U$25.000,00 to protect something (information, ...) that the value is for example U$20.000,00! hehehe

Cheers
0
 
ahoffmannCommented:
> ..  note that this kind of attack to obtain valid MAC, will need to use poison techniques or similar methos ..
you don't poison anything if you set your own MAC ;-)
(if the network and it's protocols have problems with that --for example 2 identical MACs-- is another question)

> ..  use IPsec ..
nice idea, how would you do that without an IP? nomen est omen ...
0
 
Tim HolmanCommented:
Make it very clear, using a sign or whatever, that unauthorsied connection to your network will be reported to the NYPD, and violators will be shot.  In the UK we have the Computer Misuse Act which would make any such unauthorised connection a criminal offence, punishable by law.
NAC/IPSEC/ACLs or whatever can all be circumvented.  In the end, all you have is the law to protect you.
You're best off setting up passive network monitoring software and event logfiles to alert you of any unauthorised use.

0
 
Rich RumbleSecurity SamuraiCommented:
Using IPSec or a VPN on the LAN is still good, as you block those who don't have access to your resources even if they obtain an IP, assign one, or manage to get 802.1x to allow them out of the "null" vlan. Naturally you don't obtain DHCP over a IPSec tunnel, you would still want to rely on 802.1x or mac address filtering, but to connect to AD or a share, each device on the lan should also run IPSec, and in most situations this is not needed, you can always go too far with security, however you do have to pick and chose your trade-offs.
-rich
0
 
zgrpCommented:
Hello,

To ahoffmann

>you don't poison anything if you set your own MAC ;-)
>(if the network and it's protocols have problems with that >--for example 2 identical MACs-- is another question)

Who set your own MAC in a network card? Since the MAC already is in the network card, it doesn't make sense for me. hehehe

However, you can want to setup a MAC of other user in the LAN, but it WILL generate anomalys, duplicated MAC replys, tcp/ip stack fingerprint can be different, connections reseted, etc. ;)

In theory, doesn't should exist 2 equals MAC in the network, since it SHOULD be unique, however I ALREADY HEARD (but never seen) some generic network cards that have duplicated MAC (but probabilitty is more easy win in the lotery game. hehehe).

>nice idea, how would you do that without an IP? nomen >est omen

Read again what I typed:

"mitigate some attacks related to some network layers (IP and below)"

ps: What means "nomen est omen"? It's german ?

In a clear way, it can help mitigate attacks in IP (like sniffing, mitm, etc) layer and below.

Sorry if I explained bad, my english is not wonderful. hehe

Cheers,
0
 
giltjrCommented:
zgrp you do realize that most all NIC's today allow a locally administrated address (LAA) a.k.a. a user defined MAC address.

There are times where duplicate MAC's will notcause a problem, such as when they are not on the same LAYER 2 or LAYER 3 network.  To PC's on two different switches that are part of two different IP subnets with the same MAC address, will not cause any problems.

Although Ethernet can't handle this (at least I don't think it could), Token Ring used to use duplicate mac addresses on different NIC's of the same device connected to bridged/switched networks for backup and redundency at the layer 2 level level.
0
 
zgrpCommented:
Hello,

>zgrp you do realize that most all NIC's today allow a locally >administrated address (LAA) a.k.a. a user defined MAC >address.

Sure, I' speaking about default MAC address (this one that come from factory). To be sincere, I never seen a user NEED to manipulate his MAC address, in short, for me, it's very suspect (to don't say evil).

As I spoken, monitor network activy is important, and a Admin will know if he have some behaivor that is "expected because some user necessary", but in pratice, I never seen any of this behaivor be a user redefining MAC address (except when a NIC is changed).

>There are times where duplicate MAC's will notcause a >problem, such as when they are not on the same LAYER 2 >or LAYER 3 network.  To PC's on two different switches >that are part of two different IP subnets with the same >MAC address, will not cause any problems.

Well, I THINK it will not cause a problem, because they are in distinct switchs, and AFAIK MAC address is not routeable.  :)

Cheers,
0
 
ahoffmannCommented:
>  .. it doesn't make sense for me. hehehe
dosn't matter if it makes sense for you, it's possible and makes sense for an attacker/unauhorized person (see question)

> .. but it WILL generate anomalys ..
yes, sometimes but not always, read my comments again

> .. In theory, doesn't should exist 2 equals MAC in the network, ..
in theory theory and praxis are identical, in praxis they are not
(FYI: some Sun NICs came with 2 or more identical MACs)

> What means "nomen est omen"? It's german ?
no, not German, Latin
free translation: the name says it all

> ..  it can help mitigate attacks in IP
and how would you do IPsec without an IP? (hence my: nomen est omen)

> .. I never seen a user NEED to manipulate his MAC address, in short, for me, it's very suspect (to don't say evil).
see above and giltjr's comment, its needed, sometimes
And have a look at the TA: Security, so we're talking about attackers, sometimes, somehow ...

> .. and AFAIK MAC address is not routeable.  :)
the switch routes according MACs, and if someone catched another MAC the switch routes to him (for obvious reason)

0
 
zgrpCommented:
Hello,

ahoffmann,

>dosn't matter if it makes sense for you, it's possible and >makes sense for an attacker/unauhorized person (see >question)

So please, show me what is the SENSE of the attacker change his own MAC by his own MAC.

>yes, sometimes but not always, read my comments again

Please, show me a case where a attack WHERE is steal a MAC and it will not generate any anomaly. Describe in details a attack to steal any information using this methos, and I will describe anomalys for you. ;)

>(FYI: some Sun NICs came with 2 or more identical MACs)

Intersting. Any reference where find it? I have a SUN Ultra Sparc with 2 NICs (different MAC)... exist some specific model, etc for it ?

>and how would you do IPsec without an IP? (hence my: >nomen est omen)

You will not setup IPSEC before have a IP. First yours clients will use DHCP to get a IP (or have it statically), and AFTER it happen, your clients will use IPsec, got it ? :)

>see above and giltjr's comment, its needed, sometimes

Please, read my last post again.

>the switch routes according MACs, and if someone >catched another MAC the switch routes to him (for obvious >reason)

What I spoken is that MAC isn't routable, for example, you don't get it into Internet (cause isn't routable). A switch deliver packets to ports according MAC, but it's not routable. You can even have 2,3,..., switchs interligated and this MAC pass thought all then, but it's yet not routable, since it's the same network segment.

Cheers,
0
 
ahoffmannCommented:
> So please, show me  ..
http:#16406393 (first paragraph)

> .. MAC isn't routable, for example, you don't get it into Internet ..
ok, some confusion here.
the switch assign the MAC (and IP) to one of its ports (some kind of routing inside the switch), but if an attacker uses the same MAC as another (legal?) NIC, then the switch gets confused if both are active simultaneously

But we're drifting off-topic ...
0
 
Rich RumbleSecurity SamuraiCommented:
Let me put this to rest:
MAC address "matching/changing/copying" will not get you on to an 802.1x protected lan alone. It WILL "defeat" a MAC address filtered solution alone, unless that solution is checking for dup's...
Correct, IPSec is used after you get an IP, or statically assign yourself one. You can then use your login credentials, shared-key, certs... etc to auth to the IPSec'd devices.

The real crux to these solutions however are devices that can't speak or use IPSec, 802.1x. Allowances are often made for printers, fax machines and other "less intilignet" network connected equipment. Those are the devices you'd "clone" the mac address off, and or the ip off and masquerade as on the network. Number one, they are used far less offten than most equipment, and any ARP poisoning that may take place will be less visible, number two they are not likely talking ipsec or 802.1x

Remember, 802.1x keeps a port in a vlan away from others, vlans as we all know control broadcast domains for the most part, and DHCP/BootP is broadcast. Even if you swapped the network cable from a PC or other device on the 802.1x network, it checks quite often to see if your authenticated still, so any info you may try to get will be minimal.

Thanks for you time.
-rich
0
 
zgrpCommented:
Hi,

>MAC is not an option 'cause anyone (at least me:) can >change the MAC to whatever is needed.

Some switches allow admin to configure MAC corelated with IP and even correlated with Switch Port. In this case, change the attacker MAC to a valid MAC (registered to other port), will not work....

>So, as someone trying to get a valid IP, I'd simply sniff the >traffic and catch a MAC and use it also

Here you can have some anomalys, but it even depend on software utilized to realize the attacks. Some facts:

- Many sniffer softwares arent't 100% passive, making DNS requests, probe machines unknow, doesn't handle MAC correct and can be caught by this, many cases....

- The two machines (attacker and victim) can have different TCP/IP stack (with will be used to caught a fake machine).

- Services, ports, ..., network profilein general can have (and probabilitty will have) differences, and can be used to caught again a fake machine.

- Processors have differente clock cycles, and it can be detected via Network, and can be used with a high precission in a network to detect a fake machine.

- Yet exist the possibility of problems related to IP and MAC conflict...

As I spoken, carefull analyzing network anomalys can be very useful to identify Attackers (and even false positives).

>But we're drifting off-topic ...

Ok, sorry.

>The real crux to these solutions however are devices that >can't speak or use IPSec, 802.1x. Allowances are often >made for printers, fax machines and other "less intilignet" >network connected equipment. Those are the devices >you'd "clone" the mac address off, and or the ip off and >masquerade as on the network.

Intersting. Maybe a solution to this is:

- Isolate this network devices (fax, printers, ...) and re-route to users network, in this way, we can filter "broadcast" that attackes could use to get this informations.

- To solve the problem of real users don't know the MAC addr of this special devices (fax, printers, ...) we could create a kind of pos-logon script (like netlogon) that set all this device MAC in workstation as static.

This way, only autenticated users will know this MAC address. What do you think ?

>Number one, they are used far less offten than most >equipment, and any ARP poisoning that may take place >will be less visible, number two they are not likely talking >ipsec or 802.1x

True. But if you setup 802.1x to ALL port devices (including the attacker port), and only special devices ports (fax, printer, ...) get allowed to doesn't speak 802.1x, the ARP Poison will not work (since he is not authenticated).

Expect if:

- Attacker can phisically connect his laptop to a port of one of this special devices (It's more like a Company Security Policy problem).

- Attacker get able to deatach a RJ45 from  valid user, plug a hub into it, and connect attacker and victim attacker in the hub, in this way, attacker can use (victim authentication). (It's more like a Company Security Policy problem or a real User facility things to a Hacker).

Richrumble, with exception of this 2 scenes attacks into 802.1x, that in my point of view are more like a Company Security Policy problem, do you knwo ANY attack against 802.1x that can work without "Attacker have access to the physical RJ45" ?

Very intersting this topic.

Thank you,

Cheers
0
 
Rich RumbleSecurity SamuraiCommented:
no, 802.1x is layer 1/2 ...
-rich
0
 
ahoffmannCommented:
zgrp, are we talking about network forensics or about securing DHCP?
Please keep the question/topic in mind :)
0
 
Tim HolmanCommented:
>Please, show me a case where a attack WHERE is steal a MAC and it will not generate any anomaly. Describe in details a attack to steal any information using >this methos, and I will describe anomalys for you. ;)

1)  Choose a host you want to spoof (ie the IP address of a mail server on the network)
2)  DOS the host with a large SYN Flood to take it offline
3)  Give this IP address to your own machine
4)  Flood the switch with a few million spoofed MAC addresses (this will clear out the ARP table)
5)  Plug your own machine in
6)  Voila... your machine has the IP address of a machine that was already on the network and even though the MAC address is different, then that's OK, as the switch has effectively been reset as the old ARP information has gone
7)  Intercept unauthenticated, unencrypted traffic

This highlights the need both for proper authentiation and encryption as being the only real methods to protect your network from unauthorised use.
Defeating network equipment as long as you have local LAN access is trivial...  :P


0
 
zgrpCommented:
Hello,

ahoffmann , ok, sorry!

tim_holman, I will not reply to doesn't generate more off-topics, but if you have intersting in the answer, look my previous posts.

Cheers
0
 
catoaguilarCommented:
If you manage a small (lets say about 50 computers) with not so many new computers coming up every month, you may consider assigning manual IP address instead of using DHCP.

0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 8
  • 6
  • 4
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now