From: Adam Flinton 

Richard B. wrote:
> On Fri, 17 Dec 2004 09:02:25 +0000, Adam Flinton
>  wrote:
>
>
>>A) Get the Mac address of the network card(s) in the machine.
>>
>>B) Set up DHCP to give out info on the basis of Mac addresses You can do
>>it in reverse i.e. a default for most & the "special
set" for people
>>like him i.e. only keep a list of the mobile machine mac'es. If you want
>>to be safe, do it for all machines & make the dhcp only give out ip
>>addr'es if the mac is on one of the lists (i.e. mobile/fixed or
>>trusted/not trusted).
>
>
> I've done this at home but I understand there are hacks around this?
>

Not if you keep it simple.

Generally the fun starts once people want "exceptions" .

2 lists.

Mac addresses of fixed devices & Mac addresses of mobile devices.

Assign tcp settings on remote dhcp client accordingly .

>
>>C) The DHCP setting for him/mobile devices sets the machine up in a
>>separate ip numbering system with a box given as a gateway (both to the
>>inet & the local lan).
>>
>>D) Filter/firewall that eth device on the gateway.
>>
>>You can do this for all "road warrior" laptop/mobile devices.
>
>
> Sounds like you've set this up...any common 'gotchas' from the users,
> i.e., typical problems to be resolved?
>



Mostly "exceptions". It depends on what ports are to be opened
& not which are to be shut.

Video/voice is still a pain (though gnomemeeting is pretty solid &
skype works on port 80 over http).

If that is not a requirement then hey why worry ? 

Cracks are usually created via badly handled "exceptions". Limit
the exceptions & limit the scope of crackage.

For example, he could share the same http browser settings (inc proxy
server etc) with the "fixed" machines (& dns etc)  &
participate in other services based on his id & not his ip addr anyway.

Depends on level of security. You could see any capability of any browser
to "post" i.e. send data to a "http handler" outside of
the company as being more of a hole per se.

If it's spyware & exploits getting in then....treat all non-mobile as
being part of a more trusted "area" than the "mobiles".

Where mobile includes having another route out to the net (inc modem or
wifi or 3G/gprs etc.

Adam


Adam

--- BBBS/NT v4.01 Flag-5