Roger Harrison <RogerJHarrison2@aol.com> hath wroth:
>On Sat, 16 Jun 2007 15:29:20 GMT, John Navas wrote:
>>>>> That is, if I have three computers and I set the DHCP range from
>>>>> 192.168.1.1 to 192.168.1.3 - doesn't that protect me from intrustion by
>>>>> a fourth computer?
>>>How can someone set an IP address manually?
>> Properties for the network connection.
>
>Hmmm... I've never heard of "security" by limiting the available IP
>addresses ... so there MUST be a fatal flaw in my argument ... but here it
>is...
>
>a. Assume the "bad guys" CAN change their IP address (a la John Navas'
>suggestion) ... but also assume the following conditions ...
They can. It's very easy to change the clients IP address manually.
It's also very easy to change the clients MAC address. That makes it
very easy to spoof any client that is only authenticated by its IP and
MAC addresses.
>b. The Wireless router is assigned to an "arbitrary" range, say the 3 IP
>addresses can be assigned to a limited contiguopus range that the "bad
>guys" don't (yet) know (e.g., 192.168.145.128 to 192.168.145.120).
IP addresses are NOT exposed in encrypted packets, so such security by
obscurity will work if the link is encrypted. However, without
encryption, the IP address range that's in use is easily extracted by
sniffing.
>c. Assume that all three PCs are on the network so there are now zero
>available IP addresses.
You have two things going at the same time here. DHCP IP assignment
and Netmask. One does not "assign" the router to an arbitrary range
of IP's. It's done with Netmask using well known subnet masking
rules. That limits the available IP's that can be used to connect to
the router including blocking those that are manually assigned by the
client.
The DHCP range must by necessity be within the available IP range of
the Netmask. It can be smaller than the netmask range, but not
larger. (It also shouldn't include the router LAN IP address and the
broadcast address, as those can't be used by clients).
If you chose NOT to use Netmask, and leave it at the default /24,
you'll have 254 available IP addresses to chose from. You can set the
DHCP range for any smaller amount of IP's, and evil hackers like
myself can easily select an IP address that is *OUTSIDE* of the DHCP
range, and get a connection.
>My security question:
> How can the bad guy get in given those three assumptions above?
See above.
>If we can't figure out how (and of course, if we can't do it ourselves),
>then we've just uncovered an heretofore unknown wireless security method
>that has never before been seen in print!
Do you really need instructions in how to determine the IP address in
use and how to setup a static IP on the client? I'll make it easy. I
walk up to a Windoze machine and run:
Start -> run -> cmd <enter>
ipconfig
ipconfig /all | find "Address"
I now have the IP addresses in use, the gateway IP, and the MAC
address of the client. If I'm lazy, I just turn off the machine, and
use the same MAC address and setup the same IP address on my machine.
The DHCP server won't re-assign the IP to someone else because it will
first ping the IP to see if it's in use.
You left out far too many conditions and considerations:
1. Is the link encrypted?
2. What's the LAN netmask?
3. Where's the DHCP address pool?
4. Is there a MAC address filter?
5. Any 802.1x authentication? RADIUS authorization/authentication?
6. Any secure tunnels (VPN)?
In my never humble opinion, the only real security available is WPA or
WPA2 encryption. Even that has a problem in that shared keys can be
extracted from the client machines. Therefore, WPA2-RADIUS, which
does not use a shared key and delivers a unique key for the session,
is best. All the tricks with MAC and IP filters, and are worthless as
anyone with a clue can work around them. I'll pretend not to mention
security by proprietary wireless protocols, which also has a fan club.
--
Jeff Liebermann
jeffl@cruzio.com
150 Felker St #D
http://www.LearnByDestroying.com
Santa Cruz CA 95060
http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558