I'm hardening my internal network router. Got under it 'bout 700 users.
Because I've recently noticed that user with proper IP will work accordingly if sets the ip statically in place of legitimate user I need to do sth to cut this down. Pernament ARP protects only from spoofing, but still the connection will work, because I'm checking only ip, giving it proper pipe and so on.
I was thinking about protection also with MAC. The question is, if it's gonna run smoothly. The machine is Intel Xeon E5506@2.13GHz 4-cores + 4GB DDR3 mem. :e
Beside I got other question, I got some kind of fail in firewall and illegitimate user will still be able to send request to Internet, but the packets way back will be sent all over the network, because I was setting the "not-working" ip-mac pernament entries like "x.x.x.x aa:bb:cc:dd:ee:ff". I changed it to router's lan mac, but it causes a loop inside router, which finishes accordingly to TTL.
But actually it should not because in the add I got rule like:
If you could give me some advice I'd really appreciate.
Btw. if someone was thinking about advising me 802.1x is not an option. Because is not supported by home routers.
Because I've recently noticed that user with proper IP will work accordingly if sets the ip statically in place of legitimate user I need to do sth to cut this down. Pernament ARP protects only from spoofing, but still the connection will work, because I'm checking only ip, giving it proper pipe and so on.
I was thinking about protection also with MAC. The question is, if it's gonna run smoothly. The machine is Intel Xeon E5506@2.13GHz 4-cores + 4GB DDR3 mem. :e
Beside I got other question, I got some kind of fail in firewall and illegitimate user will still be able to send request to Internet, but the packets way back will be sent all over the network, because I was setting the "not-working" ip-mac pernament entries like "x.x.x.x aa:bb:cc:dd:ee:ff". I changed it to router's lan mac, but it causes a loop inside router, which finishes accordingly to TTL.
But actually it should not because in the add I got rule like:
Code:
ipfw add 1999 deny ip from any to any via lan0If you could give me some advice I'd really appreciate.
Btw. if someone was thinking about advising me 802.1x is not an option. Because is not supported by home routers.