Re: Blocking access to a network

"Vanguard" <Vangu@rd.invalid> wrote in message
news:-_2dnVdhvN_NGgHfRVn-qw@comcast.com...
> "Duane Arnold" <Notme@notme.com> wrote in message
> news:V8%me.22716$IC6.15734@attbi_s72...
>> shay wrote:
>>
>>> Hi all,
>>> I have a Netgear DG834 ADSL Firewall Router with 4 PC connected to it.
>>> I have set the router to reserve IP's to certain mac addresses eg
>>> ip's ending 2 - 5.
>>>
>>> I have set the router to as a DHCP Server for ip's starting 2 -
>>> ending 5 so I think in theory no one else could connect to the router
>>> as there ar no more ip's in the pool.
>>>
>> That is true. However, since the router is not a wireless router where a
>> wireless attacker could obtain a DHCP IP from the router for their
>> machine
>> to exploit a wireless connection is when limiting the number of DHCP
>> IP(s)
>> that can be issued by the router would really mean anyting.
>>
>>> The person that uses computer on ip No 3 has decided to pull out of the
>>> network (as we all split the costs) so I want to stop him from simply
>>> reconnecting and using the network.
>>>
>>> I have set the firewall to block all traffic on this IP. Eg
>>>
>>
>> So, what if the person was able to get on to your network and uses one of
>> the router's static IP(s) where he configured the NIC on his or her
>> computer and used a static IP? A static IP is any IP on the router that
>> is
>> not controlled by the DHCP server on the router.
>
> Not entirely true. The DHCP server (in some NAT routers) can be
> configured to always assign the same IP address to a host based on its MAC
> address. So the host is configured for DHCP for its IP assignment but the
> DHCP server in the router always gives that host the same IP address.

Yes, that information is in the DHCP table and the IP is linked to the MAC
of the NIC.
That Information can also be deleted out of the DHCP table too on the
router. The Linksys routers have that ability. My Watchguard doesn't have
this ability.

> I had a D-Link DI-604 and this was quite handy to allow me to configure
> all the hosts the same (using the default of DHCP in the TCP setup) and
> control back at the router's DHCP server what "static" IP address always
> got assigned to that host out of the available IP pool. I could control
> the static IP address assignment at the router instead of having to wander
> over to each host and go through the manual TCP configuration process.
> Another advantage is that you could configure in the router's DHCP setup
> which host was the target when punching through its firewall to define a
> virtual server, like changing which host would be the external exposed web
> server (so you could slide out a different web host without having to
> touch to original web host). I miss having the "static" IP assignment
> from the DHCP pool when my DI-604 died and I replaced it with a Linksys
> BEFSR41.

Some devices have more features than others.

>
>> Of course, if the router had MAC filtering, you could block the machine's
>> access to the Internet, since all NIC(s) have an unique MAC. But if you
>> blocked by MAC, he or she could always change the NIC on their machine.
>
> Depending on which operating system is used, the user of a host can change
> the MAC address reported on the external interface of the NIC. So while
> the hardware NIC might have a fixed MAC address, the software-controlled
> MAC can be changed (I don't recall if it needs a reboot).

Yes I have heard of software that can change or simulate the MAC of the NIC.

> In Windows XP, for example, change the software-controlled MAC in the
> device properties for the NIC. I think Windows 2000 can do this, too, and
> an unconfirmed report from a Linux user said he could do it.

I looked at the NIC on XP pro and didn't see anything obvious.

> If the OS won't let you software-control the MAC address, the perp could
> use their own NAT router that lets them enter whatever MAC address the
> perp wants to use, like cloning the MAC off an allowed host (i.e.,
> disconnect the hijacked host, insert the NAT router, reconnect the
> hijacked host, clone the MAC address of the NAT router to be the same as
> the hijacked host, and then connect the perp's host - a process that many
> NAT router users are already familiar with).

Yes the MAC cloning feature on a router could be used.

There are always more than one way to skin a cat.

Duane :)
Received on Thu Sep 29 19:53:31 2005