On Sat, Feb 02, 2002 at 11:24:18PM -0500, Jeff Hellige wrote:
However, the
admin must assume that someone WILL just walk in and do
whatever they wish, when the admin least expects it...some people do
it because they're assholes, some just do it without thinking because
they weren't raised to have any manners. One must strive to make the
network resilient to such crap.
True. I was looking at it from the point as to whether it
was ok for someone to do it at all, regardless of what thier motives
might be behind it or whether the network was secure enough to handle
it if someone did happen to do so. With our LAN for instance, we
don't enable or allow DHCP at all...everyone is on static IP
addresses. We're always having to track down conflicts though
because there's a small group within the building that think they can
do whatever they wish.
How about using DHCP to ground them? As in:
- all machines legitimately using the network are known as well as
their ethernet addresses,
- assign all those legitimate machines an (basically fixed) IP via
DHCP,
- for all unregistered machines, offer them IP addresses in the
127.0.0.0 range as well as themself as their default router and other
stuff to make their network connection a notwork connection
You still get notified of them via the logs of your DHCP server and -
given suitable networking hardware - can track them down.
Regards,
Alex.
--
9./10. M?rz 2002: 4. Chemnitzer Linux-Tag
http://www.tu-chemnitz.de/linux/tag/
"I sense much NT in you. NT leads to Blue Screen, Blue Screen leads to
downtime, downtime leads to suffering. NT is the path to the Dark Side."
-- Ellsworth, one small voice