Well, if it is a new system doing the IP "theft" this may well fix it:
Split your network into 2 VLAN's via dynamic VLAN's; one known systems, one unknown systems. Set up DHCP (with different ranges) on both VLAN's so that system set up for DHCP can get an address. Set up the unknown side with tighter security since anyone walking in off the street might be on it. When your IT guys set up a new system they can add it to the known list... Steve Vawter UNIX SYSTEM ADMINISTRATOR Zone Labs, Inc. 1060 Howard Street San Francisco CA 94103 ph 415-341-8323 fax 415-341-8299 cell 510-409-9184 pager 877-933-0549 -----Original Message----- From: Richard Westlake [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 14, 2002 12:22 PM To: Chris Cc: [EMAIL PROTECTED] Subject: Re: DHCP Security Questions Chris There is no easy way to stop this. If they can change the IP address on their system then they can set any address they like. You could try the following 1) take away admin access. Not possible with visitors & personal laptop etc. can't do this with all OSs e.g. 95/98 2) run something like arpwatch (free)to record MAC/IP address. This will notice new systems on the network and will also report address flip-flops when two systems try and use the same IP address. We use this and it has spotted badly configured systems and people borrowing (stealing) IP address. Doesn't prevent the problem but it makes it easer to find and fix. Problems of two systems using the same address (IP,DECNET etc) can be very hard to debug. For arpwatch try http://www-nrg.ee.lbl.gov/nrg.html or a google search 3) split the network into two with a router. One network can have your static address servers and other important stuff, the other can have the DHCP assigned addresses. This reduces the damage people can do, still a problem if they steal the IP address from your or the MDs laptop. You could also add a network just for visitors. 4) use SNMP on the switches to report when a port goes live. The with SNMP query the address table and compare it with a list of allowed MAC/IP addresses (DHCP server lease file) and possible which ports they can use. If you don't like the system on the port which has just gone live then block the port or move it to a VLAN where it cant do any harm. Maybe you can get a network management system to help with this. This could be a lot of work! If you every try it please let me know how you got on. If you have a lot of people turning up with laptops etc and they already have ID/passwords on your system they you could use something like netreg (free) http://www.netreg.org/ to automate the MAC registration. Matt Campbell at RIT has implemented a similar system which does watch the switches and move ports for new systems to different VLANS http://www.rit.edu/~mrcsys/dhcp/ Netreg type packages are useful if you don't want random strangers wandering into the building, finding an unused port in a quiet corner, connecting to the network and getting an IP address and having fun with your servers etc All the best and good luck Richard Westlake School of Crystallography, Birkbeck College, Malet Street, London WC1E 7HX Tel: 020-7631-6859 ---------------------------------------------------------------------- Truth endures but spelling changes -- Anon. ---------------------------------------------------------------------- On Tue, 14 May 2002, Chris wrote: > Date: Tue, 14 May 2002 09:10:26 -0700 > From: Chris <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: DHCP Security Questions > > I was curious to find out about some issues that I would like to prevent > if at all possible. I am running a network with a DHCP server handing > out public IP's to clients. It is also reserving by the MAC for clients > that have static publics. My concern is someone that has legitimate > access to the network purposely or accidentally setting their IP to an > IP that is already taken and login on to the network and causing > problems. Obviously this could really be a problem if it is a business > client and are running some sort of server and someone logs on with that > IP. Does anyone know of a way to prevent this? If you need more > details please ask. > > Thank You, > > Chris Raynor > Network Security > Mendo Link, LLC > > "An Ounce Of Prevention Is Worth A Pound Of Cure." > >
