Dan Ros wrote: >> -----Original Message----- >> From: Adrian Penisoara [mailto:[email protected]] >> >> We are facing service theft through impersonation, either >> solely IP >> or both IP and Ethernet MAC address. Securing IP access was solved >> using a static ARP scheme (we used "staticarp" for the >> internal gateway >> interface and tied to it a fixed list of IP/MAC tuples), but some of >> the clients learnt how to change both the IP and the MAC. > ... > > This sounds like a university residential halls network, am I right? > > For what it's worth, the university I attend has tried both DHCP by mac > address, static arp and so on. Eventually now they have given up and the > cost of the network connection is simply included in the rent for the room. > That way they do not have to worry about unauthorised access. I just had a simple thought: can you just physically unplug the network cable for the particular room from your router? You can't steal service w/out link. Not as nice as a programmatic solution, but probably as effective; I guess you'd just have to make sure each cable is labeled. Of course, this wouldn't prevent people from giving access to the friends next door if they have their own router. And, I suppose, if someone *really* wanted to steal internet access, they could open the wall and access the incoming cable to the room next door, and install a router secretly. --Chris _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"