[ previous ] [ next ] [ threads ]
 
 From:  Steve Bertrand <steve at ibctech dot ca>
 To:  Mohammed Ismail <m dot ismael at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Anti netcut (was Re: [m0n0wall] m0n0wall 1.3b17)
 Date:  Thu, 30 Apr 2009 22:11:09 -0400
Mohammed Ismail wrote:
> So it is layer 2, then we need layer2 in m0n0wall

I think that you need to garner a better understanding before you make
such claims...

> What about broadcasting himself ?

What about broadcasting? Broadcasting has many scopes. If you are
concerned about your broadcast domain, you can:

- use Captive Portal to authenticate against RADIUS for access, and have
RADIUS force each user into their own VLAN (broadcast domain) via
attributes (if you use this functionality, then m0n0 has done it's job)

- ensure that "ip directed broadcast" is disabled on ALL of your L2
equipment (do this no matter WHAT)

- that all of your L2 gear does not "proxy arp"

> Tells every body that m0n0wall is on MAC IP every 1 sec,
> Like spoofing client's arp table each second,, 
> How about this? Some how it helps clients to stay connected to m0n0wall
> instead of attacker,

This solution is not scalable. It sounds like this thread has gone from
ARP Poisoning to MitM, but that's ok.

If you perform the above, I will 'see' this, proceed to DoS/block your
ARPs (BTW, you obviously are allowing gratuitous arp ;) and put my own
on the wire(less).

> And having static ARP table in m0n0wall protect m0n0wall it self.

I'm loosing traction on what you are trying to protect. Are you trying
to ensure that wireless users can't access each other, or the other side
of the NAT'd gateway?

> The problem is we cannot afford switches capable of layer2 filtering,
> And there must be other solution, and it could be done with FreeBSD, I just
> do not know how exactly, but I guess it will be set of rules

Affordable is understandable...

> 1- static ARP table

Depends on your setup. Can you provide a logical diagram, or at least
explain who you are trying to protect from who?

> 2- assign /32 subnetmask for clients 

If they are not in their own broadcast domain, I'll simply renumber into
the subnet you give me. From what I remember of your previous post, you
would provide me, an attacker, with a /32 within your 10/8 space:

- you assign 10.0.0.50/32 because I am an invader
- because I know you've assigned this via DHCP, I know the address
probably won't be in use elsewhere, so I:

# ifconfig re0 10.0.0.50/8

- now I'm right back into the same "broadcast domain" as all other clients
- I then find out the MAC of the DHCP server, poison the ARP table as to
appear as a new client, find out the IP of the default gateway AND
become the DHCP server if I want to

> 3- spoof network with m0n0wall real MAC IP pair every x sec

...you are trying to fight a losing battle by performing Layer-2 DoS on
your own network.

> And notice that not only netcut and spoofing there are also worms that arp
> poison the network, and such worms uses client IP table so if the client is
> isolated in his own subnetmask is not that enough?

No. There are seven layers in the OSI model. Each layer requires its own
protection. Each layer in between layers needs it's own protection.

> Sorry for being annoying but it had been annoying me since a while,

You are not annoying. I can tell you are trying to learn, and you are
asking the right questions.

A decent book you may want to read is:

"Router Security Strategies: Securing IP Network Traffic Planes"

It's more geared to Layer-3, but it lays out security strategies at
Layer-2 quite nicely. It is geared toward Cisco, but even just
researching the book itself will put you in the right direction in which
you want to go.

Steve