Is it possible to Jam windows network neighbour?

Is it possible to Jam windows network neighbour?

[ads nat]

I am running Redhat Linux 9.0 machine for routing as
well as iptables firewall for my network serving 
win 98 clients. For security reasons I do not want win
98 clinets to use pier to pier for transfering
files/data among them. In this case win 98 clients do
not need to talk to server.
Is it possible to Jam pier to pier network ? so that
copying of files from one win 98 client to other can
be restricted.
Thanks for support.



	
		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail 

RE: Is it possible to Jam windows network neighbour?

[Jason Opperisano]

> I am running Redhat Linux 9.0 machine for routing as
> well as iptables firewall for my network serving
> win 98 clients. For security reasons I do not want win
> 98 clinets to use pier to pier for transfering
> files/data among them. In this case win 98 clients do
> not need to talk to server.
> Is it possible to Jam pier to pier network ? so that
> copying of files from one win 98 client to other can
> be restricted.
> Thanks for support.

a firewall can only filter traffic that passes through it.  if your clients are all sitting on a LAN together, there is no way for an upstream firewall to keep them from communicating with each other.

-j

Re: Is it possible to Jam windows network neighbour?

[Nick Drage]

On Tue, Aug 24, 2004 at 08:18:25AM -0400, Jason Opperisano wrote:

> > I am running Redhat Linux 9.0 machine for routing as well as
> > iptables firewall for my network serving win 98 clients. For
> > security reasons I do not want win 98 clinets to use pier to pier
> > for transfering files/data among them. In this case win 98 clients
> > do not need to talk to server.

> > Is it possible to Jam pier to pier network ? so that copying of
> > files from one win 98 client to other can be restricted.
> 
> a firewall can only filter traffic that passes through it.  if your
> clients are all sitting on a LAN together, there is no way for an
> upstream firewall to keep them from communicating with each other.

Not quite true, sort of, but we're into Firewall / IPS ( Intrusion
Prevention System ) territory here.  "Snort" *might* be able to deny
traffic on the network, failing that you're probably looking at
commercial software.

-- 
"I think a church with a lightning rod shows a decided lack of confidence"

RE: Is it possible to Jam windows network neighbour?

[Jason Opperisano]

> > a firewall can only filter traffic that passes through it.  if your
> > clients are all sitting on a LAN together, there is no way for an
> > upstream firewall to keep them from communicating with each other.
>
> Not quite true, sort of, but we're into Firewall / IPS ( Intrusion
> Prevention System ) territory here.  "Snort" *might* be able to deny
> traffic on the network, failing that you're probably looking at
> commercial software.

good point.  something along the lines of setting up a snort box (with flexresp) on a SPAN port and watching for TCP 139/445 traffic and resetting the connections?  i played around with this awhile back, and i noticed that the snort box generally loses the race in the race condition, but it does effectively keep the hosts from communicating.  not pretty, but effective enough.

need more coffee...

-j

Re: Is it possible to Jam windows network neighbour?

[Sanjay Arora]

On Tue, 2004-08-24 at 18:11, Nick Drage wrote:
> On Tue, Aug 24, 2004 at 08:18:25AM -0400, Jason Opperisano wrote:
> 
> > > I am running Redhat Linux 9.0 machine for routing as well as
> > > iptables firewall for my network serving win 98 clients. For
> > > security reasons I do not want win 98 clinets to use pier to pier
> > > for transfering files/data among them. In this case win 98 clients
> > > do not need to talk to server.
> 
> > > Is it possible to Jam pier to pier network ? so that copying of
> > > files from one win 98 client to other can be restricted.
> > 
> > a firewall can only filter traffic that passes through it.  if your
> > clients are all sitting on a LAN together, there is no way for an
> > upstream firewall to keep them from communicating with each other.
> 
> Not quite true, sort of, but we're into Firewall / IPS ( Intrusion
> Prevention System ) territory here.  "Snort" *might* be able to deny
> traffic on the network, failing that you're probably looking at
> commercial software.

Could not one use a switch, VLAN and routing from one computer to
another through a the firewall...all it should need is an ip adsress in
a different subnet for each computer and a routing command...though
maybe this is an oversimplification. One baseline is that users should
be normal windows users (uhhh...lamers) not linuxers ;-)

Sanjay.

RE: Is it possible to Jam windows network neighbour?

[Jason Opperisano]

> > > > I am running Redhat Linux 9.0 machine for routing as well as
> > > > iptables firewall for my network serving win 98 clients. For
> > > > security reasons I do not want win 98 clinets to use pier to pier
> > > > for transfering files/data among them. In this case win 98 clients
> > > > do not need to talk to server.
> >
> > > > Is it possible to Jam pier to pier network ? so that copying of
> > > > files from one win 98 client to other can be restricted.
> > >
> > > a firewall can only filter traffic that passes through it.  if your
> > > clients are all sitting on a LAN together, there is no way for an
> > > upstream firewall to keep them from communicating with each other.
> >
> > Not quite true, sort of, but we're into Firewall / IPS ( Intrusion
> > Prevention System ) territory here.  "Snort" *might* be able to deny
> > traffic on the network, failing that you're probably looking at
> > commercial software.
>
> Could not one use a switch, VLAN and routing from one computer to
> another through a the firewall...all it should need is an ip adsress in
> a different subnet for each computer and a routing command...though
> maybe this is an oversimplification. One baseline is that users should
> be normal windows users (uhhh...lamers) not linuxers ;-)
>
> Sanjay.

so, essentially, put every machine on its own dedicated subnet and have all traffic routed through the firewall?  that sounds scalable...

-j

RE: Is it possible to Jam windows network neighbour?

[Sanjay Arora]

On Tue, 2004-08-24 at 23:00, Jason Opperisano wrote:

> 
> so, essentially, put every machine on its own dedicated subnet and have all traffic routed through the firewall?  that sounds scalable...
> 
> -j
> 
Never claimed scalable ;-) 

Sanjay.

RE: Is it possible to Jam windows network neighbour?

[ads nat]

O.K. 
I am putting a fictitious situation as follows :

Linux server with iptables firewall acts as Gateway
for internet configured as DHCP server with only mac
address setup in DHCP configuration file, having win
98 clients. 
Another Linux server acts as File server, having it's
owm iptables rules to block unwanted mac-addresses
same win 98 clients also acts as DHCP server.

Now win client setup have Gateway IP as IP of Internet
Gateway and WIN server IP as IP of file server.

DHCP HOWTO asks to add following lines for individual
clients in DHCP configuration file.

####
host xyz {
   hardware ethernet 08:00:2b:4c:59:23;
   fixed-address 192.168.1.222;
}

####
In this case Can i use above setting by eliminating
line specifying IP address (fixed-address
192.168.1.222;
)?

so that IP addrress/subnet of client will not be known
to anybody.

Now if outside user with Laptop try to connect to this
network with one of the network switch, with concent
of any win 98 client user and in absence of
administator by assigning any IP address of any subnet
(By trying permutation combination of 192.0.0.0,
10.0.0.0, 172.0.0.0) then will not get access to any
win 98 machine by netbour neighbour.

I am not sure whether this will work, I should try but
in the mean time is it feasible?

Hope i have made requirements clear.

Thanks for support.

--- Sanjay Arora <skpobox@hotpop.com> wrote:

> On Tue, 2004-08-24 at 23:00, Jason Opperisano wrote:
> 
> > 
> > so, essentially, put every machine on its own
> dedicated subnet and have all traffic routed through
> the firewall?  that sounds scalable...
> > 
> > -j
> > 
> Never claimed scalable ;-) 
> 
> Sanjay.
> 
> 
> 
> 

--- Sanjay Arora <skpobox@hotpop.com> wrote:

> On Tue, 2004-08-24 at 23:00, Jason Opperisano wrote:
> 
> > 
> > so, essentially, put every machine on its own
> dedicated subnet and have all traffic routed through
> the firewall?  that sounds scalable...
> > 
> > -j
> > 
> Never claimed scalable ;-) 
> 
> Sanjay.
> 
> 
> 
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

RE: Is it possible to Jam windows network neighbour?

[Jason Opperisano]

> O.K.
> I am putting a fictitious situation as follows :
>
> Linux server with iptables firewall acts as Gateway
> for internet configured as DHCP server with only mac
> address setup in DHCP configuration file, having win
> 98 clients.
> Another Linux server acts as File server, having it's
> owm iptables rules to block unwanted mac-addresses
> same win 98 clients also acts as DHCP server.
>
> Now win client setup have Gateway IP as IP of Internet
> Gateway and WIN server IP as IP of file server.
>
> DHCP HOWTO asks to add following lines for individual
> clients in DHCP configuration file.
>
> ####
> host xyz {
>    hardware ethernet 08:00:2b:4c:59:23;
>    fixed-address 192.168.1.222;
> }
>
> ####
> In this case Can i use above setting by eliminating
> line specifying IP address (fixed-address
> 192.168.1.222;
> )?

you can use the combination of "host xyz { hardware ethernet 08:00:2b:4c:59:23; }" in combination with "deny unknown clients;" in you pool declaration to achieve this.

> so that IP addrress/subnet of client will not be known
> to anybody.
>
> Now if outside user with Laptop try to connect to this
> network with one of the network switch, with concent
> of any win 98 client user and in absence of
> administator by assigning any IP address of any subnet
> (By trying permutation combination of 192.0.0.0,
> 10.0.0.0, 172.0.0.0) then will not get access to any
> win 98 machine by netbour neighbour.

if the laptop is connecting to the same switch as the "known" win 98 client, your internet gateway firewall is not really going to help you.  fancy DHCP isn't going to help you either.  the person with laptop can sit on the wire and figure out *very* quickly what IP addresses are assigned to the "known" win 98 clients.

your situation is one of the hardest to secure:  your attacker with the laptop not only has physical access, but also have the consent of the victim, and there's no administrative presence...  one defense would be to use win2000/xp on the "known" clients and lock them down via group policy and remove admin privileges from the users of those machines in an effort to save the users from themselves.  my guess is that this is completely infeasible for your situation.

-j