A Linux servers on a predominately Windows network

Discussion in 'other security issues & news' started by Sherif Mansour, Nov 29, 2005.

Thread Status:
Not open for further replies.
  1. Sherif Mansour

    Sherif Mansour Registered Member

    Joined:
    Nov 13, 2005
    Posts:
    10
    Hi guys I was toying with Virtual machines the other day and I was wondering what do you need to configure in place so that when u have a Linux server like a gateway to prevent any one from taking that IP (some internal network pc taking its IP address)? I have had this issue with a few tests and was wondering what u guys recommend
     
  2. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    Is it a network with static ip addresses or are you using DHCP or BOOTP
    in this network?

    Do you want to prevent another pc to set the same ip as your Linux system has?

    With other words,do you want to prevent a duplicate ip?
    Or just a fake server?

    There are options for this,but is it a small or large network?

    What you can do, is place the pc's you don't want to have the same ip as your linux system in another subnet by using a router (NAT).

    Example:

    You have your pc's and linux machine on a private subnet , ip's range like
    192.168.0.x .

    What you can do, is place your linux system (or servers)
    behind a router in another subnet with an ip range like:
    10.0.0.x (x = a legal number)

    Because if your are using DHCP or BOOTP you can set each ip
    on the mac-address of the specific system, but this doesn't prevent,
    you from anyone setting a static IP and generating a conflict
    (duplicate ip or worse fake an server)

    There are also other options, you can use a firewall ,
    or 3th layer switch, a complex router, these can filter on mac-adresses.
    But if people have a bit of network knowledge they are able to spoof
    a mac-address as well.

    So, i think the best way is to connect the untrusted pc's in their
    own subnet, whatever they do, you can always prevent them
    spoofing a server ip that way.

    (unless they change all the pc's ip-addresses, then the other pc's or clients will still think that the fake ip is the real Linux machine).

    We use a cabletron 3th layer switch for this, that way we can see which cable and outlet they are using,what the ip and mac address is and what their location (room) is.
    And if they are trying to fake or spoof things, we (autom.) drop them in a 'dead lan' so they can't do
    any networking until they are allowed to have access again.

    (this is on a large network > 1000 clients)

    But if your network is small you can use a 50$ router/firewall as well

    Good luck
     
  3. Sherif Mansour

    Sherif Mansour Registered Member

    Joined:
    Nov 13, 2005
    Posts:
    10
    That Linux server in particular is going to be the internal gateway so its one the same subnet as the rest of the internal netowrk (atleast one interface anyways) so the real question was how do you stop windows machines from taking a linux IP address one the same subnet
     
  4. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Is the Linux server/gateway also the DHCP server for the LAN?
    Can you exclude certain IP's from the DHCP pool (the server)?
    Can you define a range of IP's for the DHCP pool/ other systems?

    Regards,

    CrazyM
     
  5. Sherif Mansour

    Sherif Mansour Registered Member

    Joined:
    Nov 13, 2005
    Posts:
    10
    It’s not the DHCP Server of the LAN
    I don't think Its a DHCP problem cuz were are talking about manually setting the IP address as well, and because when a machine changes its IP address to anything else and broadcasts its Address there is no layer three network device to stop it, and the Linux device in question happens the be the gateway.
    The questions we need answered for are:

    How can we force that the Linux workstation doesn’t lose its IP address to windows workstation when there is an IP conflict between both workstations?

    Are the network cards involved in any part in this process?
     
  6. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    Hi sherif, first of all it doesn't make a difference
    if you are talking about a linux or Windows system,
    it is about TCP/IP.

    Unless you run other protocols as well, but those are not needed, in fact you must not use them.


    The answer is again a firewall/router.
    Although you have told me that the Linux computer
    is the gateway, there is NO reason NOT to place him in another subnet.
    In fact this is really the solution to your problem.

    Example:

    All your systems are in the 192.168.0.x range
    in your Linux system act like a gateway and has
    ip 192.168.0.1 (just an example)

    That means that all other systems have their gateway set to 192.168.0.1

    Solution:

    You connect your new router/firewall on this network with it's LAN-side.
    Then you give it a LAN ip of 192.168.0.1

    On the other side (mostly named WAN), but it is in fact just antoher subnet.

    You connect your LINUX cable that was previous the 192.168.0.1 and is now renamed 10.0.0.1

    And your problem is solved.

    Of course you can choose to switch the ranges
    10.0.0.x and 192.168.0.x if this is easier with your other hardware.

    Now your linux system is the only system BEHIND the new router firewall, everybody that wants
    to connect to it have to do NAT
    (Network Address Translation)
    to transfer from the one subnet to the other.
    NOBODY can fake the ip of Linux

    If a PC want to act like another the LINUX box
    he have to fake another subnet (not possible)

    If another PC wants to act like the IP of the Firewall/router it can be blocked on MAC-Address.

    But what exactly is the problem?

    Is it that a pc wants to act as a gateway router?

    Or do you have network problems because of duplicate ip-addresses ?
     
Loading...
Thread Status:
Not open for further replies.