[NTLUG:Discuss] How do you secure a LAN?
David Stanaway
david at stanaway.net
Sun Dec 29 20:05:55 CST 2002
On Sun, 2002-12-29 at 18:41, Bob Byron wrote:
> How do you secure a LAN? Not every point of access is under my
> complete control.
>
> I want to make sure that no one connects any PCs that I don't know
> about to the company LAN. What is the best way to secure it? Ideally,
> I would like to have the LAN setup to do DHCP, however, with a user
> name and password required to register with DHCP. But, since that
> is not possible (that I know of), I am open for suggestions.
You can set up your dhcp server to issue leases based on the HWaddress.
Also, you can run a daemon called arpwatch which watches for new HW
addresses and sends an email to you when new nodes appear on the
network.
You could perhaps look at the source or documentation for that daemon
and change it a bit so that it fires your own custom script that blocks
traffic from new nodes on the network, or you could set up your firewall
to only allow access from know hwaddresses.
This is not perfect, but it should handle most cases. It is possible to
change the HW Address at runtime with some devices, and a sneaky person
could always use that to gain access, or just swapout the NIC from a
computer not being used, or just boot up their own OS on it.
--
David Stanaway <david at stanaway.net>
More information about the Discuss
mailing list