From: Robert Lowe (Robert.H.Lowe@lawrence.edu)
Date: Fri Apr 30 2004 - 12:12:33 CDT
Ole Craig wrote:
> (or maybe in addition to DNS.)
>
> We're deploying netreg with LDAP-based authorization to
> automate what has previously been a manual registration process. One
> of the "threats" which we were tasked to try and protect against was
> that of a somewhat-knowledgeable person bypassing the netreg DNS view
> with manual DNS server settings. (This is a computer science
> department, after all. :-)
>
> The solution I came up with is a perl script that manipulates
> an iptables chain in the nat table, such that unregistered MACs can't
> get packets off the private LAN -- all packets coming from an
> unregistered MAC get redirected to the gateway netreg box. This seems
> to work quite well, and was not difficult to integrate into netreg.
> Anyone have any interest in such a thing?
Common practice is to blackhole the unregistered IP address space. If
users steal IP addresses, then you must be able to connect a registration
system with a more centralized gateway, e.g. Carnegie Mellon's AuthBridge
coupled with their NetReg.
It would seem you have a network design that accomodates something similar,
in that all packets pass through your netreg box from this particular LAN
(given that you mention NAT). That is probably not typical, but most do
have traffic flowing through a core switch/router. Filtering there is
harder and vendor-specific. Some places have network bandwidth quota
systems that manipulate CAM tables, or apply MAC-specific rules.
-Robert
**********************************************************************
To unsubscribe from this list, send an e-mail message to
majordomo@southwestern.edu containing a single line with the words:
unsubscribe netreg
Send requests for assistance to: owner-netreg@southwestern.edu
**********************************************************************
This archive was generated by hypermail 2.1.4 : Thu Aug 12 2004 - 12:01:45 CDT