[KLUG Members] Routing after validating IP address
Komal
agencies_ad1 at sancharnet.in
Wed Nov 23 06:58:40 EST 2005
> The short answer is "you don't use IP addresses for security". It's
far
> too easy to change or spoof an IP address. You're going to have to
try
> something else. Have these elevated privileges only available
through
> an authenticating proxy server. Or put these machines on a separate
> network segment (or VLAN?), and lock the wiring closet so nobody
moves
> the wires. It might even be possible to set up smart card
> authentication so that nobody gets the elevated privileges unless
they
> have the card, depending on exactly what paranoia level you're
after.
Hi
iptables has a MAC matching option. This is trivial to defeat though.
I think I would need to control this on your switches (802.1x +
RADIUS), or
simple static ARP tables on the switch.
Regards,
Komal
More information about the Members
mailing list