Preventing Static IP Spoofing

We have an ISA 2006 firewall in between our internal network and our perimeter network.  The internet is filtered differently for users in a specific IP range. This range is not assigned via DHCP, but some users have figured out that setting a static ip in this range will get them around our blocks.  This range has to be unfiltered though.  Is there a way to configure our system to register the static ips so that each static ip will not work unless it matches with the proper mac address?  ie: mac a can use static ip a only, but if someone configures their laptop with static ip a and their laptop has mac b they get denied all traffic in and out.  We need to keep this as cheap as possible.  Thanks
LVL 1
2003domainadminAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pwindellCommented:
No you can not.
The only thing is not allow the users to be local administrators on their machines,...then Windows will not allow them to alter the TCP/IP Specs.
When you allow them to be local Administrators you are begging for this kind of problem.    Another related thing,...it is obvious who is doing this because you can find the changed IP#s on their machine,...if there are no disciplinary actions upon the users by management for altering company equipment to subvert company security measures, then you have lost the war.
Another consideration,...if you base access on user accounts instead of what IP# they are using they cannot get around that without using someone else's credential to log into their machines.   Now, we all know what you should do to people who give out their credentials to fellow employees.
0
2003domainadminAuthor Commented:
Some of the machines involved in our internal network are linux based and cannot be joined to the domain.  Also these are personal computers being brought in, and we cannot change the policy on personal computers at this time as we do not currently have the money to hand out company laptops.  I know ISA is incapable of doing this, but is there something I can install on the ISA server computer to perform this check before it gets to the ISA software?  ie:
static ip with proper registered mac address > checker says ok > ISA rules are checked
static ip with wrong mac address > checker denies traffic to isa software > ISA software never sees the connection so machine cant get out
I know Sygate Firewall can filter based on mac, but I need a way to check a mac vs the ip it is assigned to.
0
pwindellCommented:
You have two options:
#1.   You're just screwed
#2.  You have to base authentication on user accounts
If your LAN was divided into IP Segments then you can control what segment they are in. They would have no choice but to use an IP# from the segment they are in and you could control access by the IP#s without having to worry about what specific individual IP it was.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

pwindellCommented:
I can't say that there is no third part tool for this,...I can only say that I do not know of any.
0
2003domainadminAuthor Commented:
Interesting.  I'll keep the question open for a while in hopes of a solution.  I know Sygate can be used on the ISA server as a mac control agent, but not a mac to ip authenticator, so odds are its possible.
0
2003domainadminAuthor Commented:
Ok. I think the solution would be a static ARP table on the ISA server computer.  Would I be right in saying that a static arp table for these IPs would basically provide this filter?
0
pwindellCommented:
It just ain't never gonna happen.
You're gonna have to abandon the idea of finding the solution at Layer2 or Layer3.   ISA just flat out is not going to do anything at Layer2 and you can't keep the users from fooling with their IP#s (Layer3).  
Short of subnetting your LAN,...You are going to have to start thinking higher in the OSI model and start thinking about authentication at the user account level.
0
2003domainadminAuthor Commented:
I can't use the authentication of ISA as the linux computers can't be joined to the domain.
0
pwindellCommented:
Yes you can.
The Browser (Mozilla, Firefox, whatever) will present the users with an authentication prompt.  The authentication will last until they close the browser.
0
2003domainadminAuthor Commented:
How do I set that up?
0
pwindellCommented:
There really ins't anything to setup.  You just have to stop using "All Users" in the effected Access Rules,...create a new User Set,..then add users or Groups from Active Directory into the User Set and then add the Set to the Access Rule and remove the "All Users" item.
At the very worst you might have to go to the properites of the Internal Network Definition-->Web Proxy Tab--->Authentication Button and enable Basic along with the Integrated that is already there.   But I would not touch any of that unless it would not work otherwise.
Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html
 
0
2003domainadminAuthor Commented:
Thanks.  I'll give that a shot.  I was hoping to do this at a machine level as these users should have this access on specific machines, but not others, even though they are the same people.
0
pwindellCommented:
You can only do it at the IP Level, which is not really the same thing,...that only translates to "machine level" if you can say with absolute certany that the IP# of the machine in question would not be changed by a user.  So it works great on Servers,...worthless on workstations,...particularly since workstations are usually DHCP and can potentially get any IP#.
The two articles I gave should be helpful for the future as well.  I'm sure you will find ISA can deal with issues in a variety of ways,...but it may require you change your thinking about how things should work.
Here are some other aspects of it that many do not think about:
HTTP Filtering in ISA Server 2004
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/httpfiltering.mspx
Common Application Signatures
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/commonapplicationsignatures.mspx
 
0
pwindellCommented:
Are you using proxy settings in the browsers?
Are these machine brought in from home using proxy settings for your LAN?
If the answer is no,..now you have more problems.   SecureNAT Clients (meaning no FWC installed and no browser proxy settings) are not capable of authentication,...which leaves you screwed again. So the user will have to add proxy settings to the browser,...which is a bad deal for Laptops the travel because the user has to always toggle the settings on or off.  But users always think that just one single extra mouse click it going to kill their families their pets and ruin the lives.  Proxy Autodetection via WPAD will save the day there but you have to configure the LAN (DNS and DHCP) to perform that.
This is why it is so important that:...
1. You have complete control of the machines allowed on your LAN
2. That you configure the LAN for proxy autodetection via WPAD so clients will auto adjust to changing environments.  The default for IE is to use autodetection,...the default for Firefox to not to.
0
pure_satis_factionCommented:
Actually, there may be a way you can permanently associate an IP with a particular mac address (at least as far as your ISA server is concerned): Setup static ARP table entries for the IP/macs that your want to "protect" against abuse.

Use the static arp command:

arp -s nnn.nnn.nnn.nnn ee-ee-ee-ee-ee-ee
(where n's are the ip address and e's are the ethernet mac address)

e.g. in a console prompt on the ISA Server, enter the following:

arp -s 192.168.100.20 a3-00-92-b3-c3-33

This will permanently associate the ip with a particular mac. This will only work if the IPs are on the same LAN segment as the ISA server interface, and are not being routed to the ISA Server.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pure_satis_factionCommented:
Also, if you setup static arp entries, they do not persist across reboots, so you need to put the arp commands into a batch file and run them as part of the machine's startup script.
0
2003domainadminAuthor Commented:
This worked perfectly.  Thanks!
0
pwindellCommented:
Actually, there may be a way you can permanently associate an IP with a particular mac address (at least as far as your ISA server is concerned): Setup static ARP table entries for the IP/macs that your want to "protect" against abuse.

Use the static arp command:

arp -s nnn.nnn.nnn.nnn ee-ee-ee-ee-ee-ee
(where n's are the ip address and e's are the ethernet mac address)

e.g. in a console prompt on the ISA Server, enter the following:

arp -s 192.168.100.20 a3-00-92-b3-c3-33

This will permanently associate the ip with a particular mac. This will only work if the IPs are on the same LAN segment as the ISA server interface, and are not being routed to the ISA Server.

How does this give ISA the ability to filter by MAC address?

0
2003domainadminAuthor Commented:
It prevents the spoofers from making a connection with the ISA server itself.  This takes place before ISA is even entering the game.
0
pwindellCommented:
Well there was never any "spoofing" ever going on here.  It said that in the Title of the thread but it is a misinterpretation of what is happening. The users are just changing their IP# to something that is allowed by the ISA.  When they change the IP#, it really truely is their IP# at that point,...nothing is stolen from anything else,...nothing is faked,..nothing is spoofed.
So I'm still trying to understand this. You have to create an entire listing of MAC addresses for the whole LAN that reflect machines that are allowed to get to the Internet,...then these machines will have to use Static IP settings so that is doesn't change,...and then create the mapping that is imported into the ARP table?  So if a different machine tries to use an IP that it should not do, the MAC will not match the mapping which causes it to fail?
If that is all it amounts to then all the ISA Admin has to do is limited the Access Rule to only the desired Source IP#s that are actually in use by live machines by using an Address Set or Computer Set.  Rogue users cannot use those IP#s because they are already in use on the LAN.  In other words do not allow "unallocated" (free) IP#s to get to the Internet.  If a new legitament machine is added to the LAN then add its IP# to the Allow Rule.
The root of this whole problem is that management is not being responsible and will not manage its "humans" and make them follow company security policy.  The war is already over and the IT people have lost.
 
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.