Solved

Preventing Static IP Spoofing

Posted on 2009-07-14
20
852 Views
Last Modified: 2012-05-07
We have an ISA 2006 firewall in between our internal network and our perimeter network.  The internet is filtered differently for users in a specific IP range. This range is not assigned via DHCP, but some users have figured out that setting a static ip in this range will get them around our blocks.  This range has to be unfiltered though.  Is there a way to configure our system to register the static ips so that each static ip will not work unless it matches with the proper mac address?  ie: mac a can use static ip a only, but if someone configures their laptop with static ip a and their laptop has mac b they get denied all traffic in and out.  We need to keep this as cheap as possible.  Thanks
0
Comment
Question by:2003domainadmin
  • 10
  • 8
  • 2
20 Comments
 
LVL 29

Expert Comment

by:pwindell
ID: 24853018
No you can not.
The only thing is not allow the users to be local administrators on their machines,...then Windows will not allow them to alter the TCP/IP Specs.
When you allow them to be local Administrators you are begging for this kind of problem.    Another related thing,...it is obvious who is doing this because you can find the changed IP#s on their machine,...if there are no disciplinary actions upon the users by management for altering company equipment to subvert company security measures, then you have lost the war.
Another consideration,...if you base access on user accounts instead of what IP# they are using they cannot get around that without using someone else's credential to log into their machines.   Now, we all know what you should do to people who give out their credentials to fellow employees.
0
 
LVL 1

Author Comment

by:2003domainadmin
ID: 24853076
Some of the machines involved in our internal network are linux based and cannot be joined to the domain.  Also these are personal computers being brought in, and we cannot change the policy on personal computers at this time as we do not currently have the money to hand out company laptops.  I know ISA is incapable of doing this, but is there something I can install on the ISA server computer to perform this check before it gets to the ISA software?  ie:
static ip with proper registered mac address > checker says ok > ISA rules are checked
static ip with wrong mac address > checker denies traffic to isa software > ISA software never sees the connection so machine cant get out
I know Sygate Firewall can filter based on mac, but I need a way to check a mac vs the ip it is assigned to.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 24853154
You have two options:
#1.   You're just screwed
#2.  You have to base authentication on user accounts
If your LAN was divided into IP Segments then you can control what segment they are in. They would have no choice but to use an IP# from the segment they are in and you could control access by the IP#s without having to worry about what specific individual IP it was.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 24853194
I can't say that there is no third part tool for this,...I can only say that I do not know of any.
0
 
LVL 1

Author Comment

by:2003domainadmin
ID: 24853290
Interesting.  I'll keep the question open for a while in hopes of a solution.  I know Sygate can be used on the ISA server as a mac control agent, but not a mac to ip authenticator, so odds are its possible.
0
 
LVL 1

Author Comment

by:2003domainadmin
ID: 24853483
Ok. I think the solution would be a static ARP table on the ISA server computer.  Would I be right in saying that a static arp table for these IPs would basically provide this filter?
0
 
LVL 29

Expert Comment

by:pwindell
ID: 24853673
It just ain't never gonna happen.
You're gonna have to abandon the idea of finding the solution at Layer2 or Layer3.   ISA just flat out is not going to do anything at Layer2 and you can't keep the users from fooling with their IP#s (Layer3).  
Short of subnetting your LAN,...You are going to have to start thinking higher in the OSI model and start thinking about authentication at the user account level.
0
 
LVL 1

Author Comment

by:2003domainadmin
ID: 24859507
I can't use the authentication of ISA as the linux computers can't be joined to the domain.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 24860295
Yes you can.
The Browser (Mozilla, Firefox, whatever) will present the users with an authentication prompt.  The authentication will last until they close the browser.
0
 
LVL 1

Author Comment

by:2003domainadmin
ID: 24862043
How do I set that up?
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 29

Expert Comment

by:pwindell
ID: 24862483
There really ins't anything to setup.  You just have to stop using "All Users" in the effected Access Rules,...create a new User Set,..then add users or Groups from Active Directory into the User Set and then add the Set to the Access Rule and remove the "All Users" item.
At the very worst you might have to go to the properites of the Internal Network Definition-->Web Proxy Tab--->Authentication Button and enable Basic along with the Integrated that is already there.   But I would not touch any of that unless it would not work otherwise.
Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html
 
0
 
LVL 1

Author Comment

by:2003domainadmin
ID: 24862534
Thanks.  I'll give that a shot.  I was hoping to do this at a machine level as these users should have this access on specific machines, but not others, even though they are the same people.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 24862635
You can only do it at the IP Level, which is not really the same thing,...that only translates to "machine level" if you can say with absolute certany that the IP# of the machine in question would not be changed by a user.  So it works great on Servers,...worthless on workstations,...particularly since workstations are usually DHCP and can potentially get any IP#.
The two articles I gave should be helpful for the future as well.  I'm sure you will find ISA can deal with issues in a variety of ways,...but it may require you change your thinking about how things should work.
Here are some other aspects of it that many do not think about:
HTTP Filtering in ISA Server 2004
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/httpfiltering.mspx
Common Application Signatures
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/commonapplicationsignatures.mspx
 
0
 
LVL 29

Expert Comment

by:pwindell
ID: 24862728
Are you using proxy settings in the browsers?
Are these machine brought in from home using proxy settings for your LAN?
If the answer is no,..now you have more problems.   SecureNAT Clients (meaning no FWC installed and no browser proxy settings) are not capable of authentication,...which leaves you screwed again. So the user will have to add proxy settings to the browser,...which is a bad deal for Laptops the travel because the user has to always toggle the settings on or off.  But users always think that just one single extra mouse click it going to kill their families their pets and ruin the lives.  Proxy Autodetection via WPAD will save the day there but you have to configure the LAN (DNS and DHCP) to perform that.
This is why it is so important that:...
1. You have complete control of the machines allowed on your LAN
2. That you configure the LAN for proxy autodetection via WPAD so clients will auto adjust to changing environments.  The default for IE is to use autodetection,...the default for Firefox to not to.
0
 
LVL 1

Accepted Solution

by:
pure_satis_faction earned 500 total points
ID: 24865904
Actually, there may be a way you can permanently associate an IP with a particular mac address (at least as far as your ISA server is concerned): Setup static ARP table entries for the IP/macs that your want to "protect" against abuse.

Use the static arp command:

arp -s nnn.nnn.nnn.nnn ee-ee-ee-ee-ee-ee
(where n's are the ip address and e's are the ethernet mac address)

e.g. in a console prompt on the ISA Server, enter the following:

arp -s 192.168.100.20 a3-00-92-b3-c3-33

This will permanently associate the ip with a particular mac. This will only work if the IPs are on the same LAN segment as the ISA server interface, and are not being routed to the ISA Server.
0
 
LVL 1

Expert Comment

by:pure_satis_faction
ID: 24865951
Also, if you setup static arp entries, they do not persist across reboots, so you need to put the arp commands into a batch file and run them as part of the machine's startup script.
0
 
LVL 1

Author Closing Comment

by:2003domainadmin
ID: 31603419
This worked perfectly.  Thanks!
0
 
LVL 29

Expert Comment

by:pwindell
ID: 24869800
Actually, there may be a way you can permanently associate an IP with a particular mac address (at least as far as your ISA server is concerned): Setup static ARP table entries for the IP/macs that your want to "protect" against abuse.

Use the static arp command:

arp -s nnn.nnn.nnn.nnn ee-ee-ee-ee-ee-ee
(where n's are the ip address and e's are the ethernet mac address)

e.g. in a console prompt on the ISA Server, enter the following:

arp -s 192.168.100.20 a3-00-92-b3-c3-33

This will permanently associate the ip with a particular mac. This will only work if the IPs are on the same LAN segment as the ISA server interface, and are not being routed to the ISA Server.

How does this give ISA the ability to filter by MAC address?

0
 
LVL 1

Author Comment

by:2003domainadmin
ID: 24869942
It prevents the spoofers from making a connection with the ISA server itself.  This takes place before ISA is even entering the game.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 24870184
Well there was never any "spoofing" ever going on here.  It said that in the Title of the thread but it is a misinterpretation of what is happening. The users are just changing their IP# to something that is allowed by the ISA.  When they change the IP#, it really truely is their IP# at that point,...nothing is stolen from anything else,...nothing is faked,..nothing is spoofed.
So I'm still trying to understand this. You have to create an entire listing of MAC addresses for the whole LAN that reflect machines that are allowed to get to the Internet,...then these machines will have to use Static IP settings so that is doesn't change,...and then create the mapping that is imported into the ARP table?  So if a different machine tries to use an IP that it should not do, the MAC will not match the mapping which causes it to fail?
If that is all it amounts to then all the ISA Admin has to do is limited the Access Rule to only the desired Source IP#s that are actually in use by live machines by using an Address Set or Computer Set.  Rogue users cannot use those IP#s because they are already in use on the LAN.  In other words do not allow "unallocated" (free) IP#s to get to the Internet.  If a new legitament machine is added to the LAN then add its IP# to the Allow Rule.
The root of this whole problem is that management is not being responsible and will not manage its "humans" and make them follow company security policy.  The war is already over and the IT people have lost.
 
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now