LAN port security: Slightly different twist
mjimenez at net.tufts.edu
Sun Sep 1 15:04:54 GMT 2002
My apologies for joining the discussion late,
For this fall we have enabled port-security on every port on our
ResNet, limiting each port to a single MAC address. This MAC is held until
the port loses link. We had already employed our own dynamic client
registration system similar to NetReg, but this step was taken to
eliminate hubs, switches, and especially rogue wireless APs.
We had fully realized that we would still be accessable to any
student who decided to use a NAT solution, and recognize that with the
state of cable modems in the home, many will figure this out. However
recently I had a new thought, and while I plan to do testing, I was hoping
for some peer mental review as well.
My proposed solution is to turn down the TTLs of all packets
leaving our routers and entering the switching domain of the ResNet to 1.
The idea being that end-clients would still gracefully receive these
packets, but that NAT boxes or anything doing routing to another segment
would drop them on arrival. This combined with the 1 MAC per port security
would hopefully stop students from extending the ResNet into places we
didn't want it. I haven't thought of anything this will break yet, but
it's a strange enough thing to do that I'd love some feedback.
Any thoughts welcome,
"Diplomacy" is saying "nice doggy" until you can find a big rock.
More information about the unisog