> Perhaps I'm restating the obvious, but this would make it rather simple
> to defeat the captive portal... just hijack an already allowed IP.
> Looks like squid / Proxy Authentication may be a viable option.
> Uses HTTP/Authorization headers, not IP or MAC. To spoof this would of
> course require that the spoofer know the user/pass.
> On a (slightly) separate note, would it be possible to have a
> configurable check that only grants access to a IP/MAC pair that is
> registered by dhcpd?
> Josh McAllister
Depends on how big your address pool is ;-)
And depends on whether you CAN proxy it through squid.
I'm not talking about ISS / web services.
I'm considering Exchange, and other custom network apps that may be running
through various open ports.
If everyone had static IP's, maintaining the firewall would be "simple"...
block all to HOST: PORT / allow specific known hosts. Is it as good as a
VPN? no, could someone spoof? Maybe. But can the entire world probe and DOS
and try buffer overflow attacks? NO.
It's not a magic bullet, but it is what ammounts to a simple way for users
to self-maintain access to a service from wherever they may be. No client
software, no expensive VPN, but a 99% reduction in the threat (for someone
to obtain access, they would have to spoof the IP of an active session, and
THAT would only allow them access to the port - not authentication, etc.
In my perfect world, there would be a checkbox to remove the MAC check. Not
for everyone, but in this backwards situation, a simple but powerful tool.