Orbit

Jon Leeman wrote:

Sam,

I use CheckPoint Firewall V4.1 which I only allow external IP's to enter - with restrictions. It also has an anti-spoofing feature.

Re Joe's foloow up post...........I use Linux AND Windows ;-)

That's okay, we still like you. 8^)

Whether we want to or not, many of us do run Windows. My rule of thumb is not to rely on them in any way for security. In other words, even if a Windows computer offers certain security features, I try to supplement them with more proven implementations. I *use* Windows security features, but seldom if ever rely on them alone to do the job.

The recommendation that you block anything you don't explicitly use - and even then limit access those ports and machines that you absolutely need - is the best policy.

If your budget is limited a PC running Linux at your gateway can be 'good enough'.

Guys,

Any tips on how to protect against IP address spoofing and IP address theft using a Cisco router would be appreciated, we are about to introduce ADSL services, and while Honiara will eventually be using a PPPoE BRAS for RADIUS based IP address assignment, we may still want to set-up smaller provincial site without the benefit of a BRAS.

I was thinking of using a Static ARP Cache in the configuration of the router concerned but if anyone has a suggestion about how to do this better let me know. I expect IP address theft could still occur if someone changes the MAC address of the ADSL modem being used, which is fairly easy to do with most of them but they would have to be able to sniff the packets concerned to get it in the first place so it is probably not likely.

I note that IP address theft is not an issue for our dial-up users with static IP assignments coming in via the NAS.

Mark.

-----Original Message----- From: pacnog-bounces@pacnog.org [mailto:pacnog-bounces@pacnog.org] On Behalf Of Alfred Prasad Sent: Friday, 12 November 2004 2:22 PM To: Sam Kava Cc: pacnog@pacnog.org Subject: Re: [pacnog] protecting static ip address

Sam, I hope I've correctly intepreted your intent.

You can "lock" MAC addresses of each machine on your LAN to it's corresponding switch port. Then use DHCP to lease IP addresses according to MAC addresses. This way someone can't walk in with a machine, configure an unsed IP address and then plug into the LAN and gain access.

However, a user can still manually configure an IP address and access the network (on the assigned switch port).

Alfred.

On Fri, 12 Nov 2004, Sam Kava wrote:

Hi All,

Can someone give me some hints on how to protect static ip address from being used by unauthorized users.

Appreciate any help.

Malo

Sam Kava

Internet Section

Tonga Communications Corporation

Salote Rd

Private Bag 4

Nuku'alofa

Tonga

Ph: 676 20059, 676 23807

email: samkava@kalianet.to

---

Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.789 / Virus Database: 534 - Release Date: 7/11/2004

_______________________________________________ pacnog mailing list pacnog@pacnog.org http://mailman.apnic.net/mailman/listinfo/pacnog