Re: Blocking access to a network

"Duane Arnold" <Notme@notme.com> wrote in message
news:V8%me.22716$IC6.15734@attbi_s72...
> shay wrote:
>
>> Hi all,
>> I have a Netgear DG834 ADSL Firewall Router with 4 PC connected to
>> it.
>> I have set the router to reserve IP's to certain mac addresses eg
>> ip's ending 2 - 5.
>>
>> I have set the router to as a DHCP Server for ip's starting 2 -
>> ending 5 so I think in theory no one else could connect to the router
>> as there ar no more ip's in the pool.
>>
> That is true. However, since the router is not a wireless router where
> a
> wireless attacker could obtain a DHCP IP from the router for their
> machine
> to exploit a wireless connection is when limiting the number of DHCP
> IP(s)
> that can be issued by the router would really mean anyting.
>
>> The person that uses computer on ip No 3 has decided to pull out of
>> the
>> network (as we all split the costs) so I want to stop him from simply
>> reconnecting and using the network.
>>
>> I have set the firewall to block all traffic on this IP. Eg
>>
>
> So, what if the person was able to get on to your network and uses one
> of
> the router's static IP(s) where he configured the NIC on his or her
> computer and used a static IP? A static IP is any IP on the router
> that is
> not controlled by the DHCP server on the router.

Not entirely true. The DHCP server (in some NAT routers) can be
configured to always assign the same IP address to a host based on its
MAC address. So the host is configured for DHCP for its IP assignment
but the DHCP server in the router always gives that host the same IP
address. I had a D-Link DI-604 and this was quite handy to allow me to
configure all the hosts the same (using the default of DHCP in the TCP
setup) and control back at the router's DHCP server what "static" IP
address always got assigned to that host out of the available IP pool.
I could control the static IP address assignment at the router instead
of having to wander over to each host and go through the manual TCP
configuration process. Another advantage is that you could configure in
the router's DHCP setup which host was the target when punching through
its firewall to define a virtual server, like changing which host would
be the external exposed web server (so you could slide out a different
web host without having to touch to original web host). I miss having
the "static" IP assignment from the DHCP pool when my DI-604 died and I
replaced it with a Linksys BEFSR41.

> Of course, if the router had MAC filtering, you could block the
> machine's
> access to the Internet, since all NIC(s) have an unique MAC. But if
> you
> blocked by MAC, he or she could always change the NIC on their
> machine.

Depending on which operating system is used, the user of a host can
change the MAC address reported on the external interface of the NIC.
So while the hardware NIC might have a fixed MAC address, the
software-controlled MAC can be changed (I don't recall if it needs a
reboot). In Windows XP, for example, change the software-controlled MAC
in the device properties for the NIC. I think Windows 2000 can do this,
too, and an unconfirmed report from a Linux user said he could do it.
If the OS won't let you software-control the MAC address, the perp could
use their own NAT router that lets them enter whatever MAC address the
perp wants to use, like cloning the MAC off an allowed host (i.e.,
disconnect the hijacked host, insert the NAT router, reconnect the
hijacked host, clone the MAC address of the NAT router to be the same as
the hijacked host, and then connect the perp's host - a process that
many NAT router users are already familiar with).
Received on Thu Sep 29 19:53:31 2005