Mailing List Archive

* mraptor@gmail.com (iVAN G) [Fri 26 Nov 2004, 15:36 CET]:
> I'm just reading the docs of the FastIron and saw there is
> MAC based Radius auth. So far so good, but how did u protect from MAC
> address forging ? If u have the following situation :
>
> FastIron <---> noname-switch <----> user

You don't. You could use port security to keep MACs locked to one
particular port but that doesn't protect users on the noname switch.


> In fact I want to achieve a secure way to assign IP address
> to the users and block any attempt from them to forge IP and/or MAC address.

use 802.1X


-- Niels.

--

Yes I thought about this, but this only protect for authenticating the
correct user once it is
auth the user can modify the IP address with whatever it wants i.e
forge the address.
i.e. it will be able to present himself like different user.
How do u protect from this ?
The only thing I can come up till now is usage of some weird way of
VLANID i.e. set different
VLANID on every port on every noname-switch then I had to have some way to
set IP address via DHCP based on the VLANID.and similar ...along these lines....

I'm wondering how do u ppl do these things. is there some hidden
feature.:") i dont know of.

The thing needed is a way to securely give the user specific IP
address/es via DHCP with
ability to forbid user access if it forges MAC and/or IP address when
u are at mixed
envoirment i.e not only Foundry switches.

sorry if I'm asking too much..


PS. On the CATV I use the following technique.
The DHCP server gives the user IP based on the cable modem MAC address.
The advantages are :
- modem MAC addresses are almost imposiblle to be forged, even if they
succeed with some older modems there is other means of blocking them :")
- I dont have to remember/store users ethernet card MAC addresses
i.e. they can change it at any time they want w/o botering me, but
they still get the correct IP.
- And if they try to change their IP address their access is blocked
on the cable modem.
- based on their unforged IP i give them the correct services

In my case possibly if foundry switches can change dhcp option-82 on the fly
to include vlanid, ingress-foundry-port, foundry-switch-MAC :") !!! then ...


On Fri, 26 Nov 2004 21:33:28 +0100, Niels Bakker
<niels=foundry-nsp@bakker.net> wrote:
> * mraptor@gmail.com (iVAN G) [Fri 26 Nov 2004, 15:36 CET]:
> > I'm just reading the docs of the FastIron and saw there is
> > MAC based Radius auth. So far so good, but how did u protect from MAC
> > address forging ? If u have the following situation :
> >
> > FastIron <---> noname-switch <----> user
>
> You don't. You could use port security to keep MACs locked to one
> particular port but that doesn't protect users on the noname switch.
>
>
> > In fact I want to achieve a secure way to assign IP address
> > to the users and block any attempt from them to forge IP and/or MAC address.
>
> use 802.1X
>
> -- Niels.
>
> --
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
>

* mraptor@gmail.com (iVAN G) [Sat 27 Nov 2004, 00:00 CET]:
> Yes I thought about this, but this only protect for authenticating the
> correct user once it is auth the user can modify the IP address with
> whatever it wants i.e forge the address.

IP address, not MAC address as you said in the subject of your mails.

IP is one layer above where the switch operates. Look at the router.
Right now I know of no workable "secure arp" implementation, you'll
probably want to look at IPsec and force all traffic to be properly
encrypted and authenticated.


> i.e. it will be able to present himself like different user.
> How do u protect from this ?

Best of luck securing your end stations against malware designed to
steal your users' certificates


-- Niels.

--