-4

How can I force all the network machines to get the IP from the DHCP server and prevent them from manually editing the network configuration. There are both Linux and Windows machines. The DHCP server is Debian. Currently it works but if someone set the IP manually from their machine, we have a problem.

My router can't be configured to force the DNS by installing something like DDWRT. We use IP TV and the router have those settings embedded. Can't change it. How can I do this without the help of the router?

THpubs
  • 1,695
  • 7
  • 26
  • 43
  • 2
    You can't prevent people with ROOT access from changing configuration files on a Linux/Unix system. However on a Windows system, you can probably use group policy settings to prevent these type of changes. – mdpc Oct 19 '14 at 07:13

2 Answers2

2

You can't control somebody else's computer. If somebody else has "Administrator" or superuser-level access to the machine then all bets are off.

You're better off doing this in the network, where you can control things. I see you say "...without the help of the router", but enforcing network policy with the network equipment gives you the best chance to a positive outcome.

If I were going to put this together myself I'd think about using something like arpwatch to alert on changes to MAC/IP pairs. You could even tie in scripts to locate and disable ports on a managed switch, if you were willing to take the time to write the scripts (and had managed switches, obviously).

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
1

First of all you have to use a managed switch. If you are not using a managed switch, then nothing is stopping a person with sufficient privileges on individual machines from simply spoofing a MAC address of another machine. Once the MAC address is being spoofed, there is no way to tell the difference between the two.

With a managed switch you can either whitelist or blacklist certain combinations of switch port and MAC address. You can also install permanent entries in the CAM such that the switch won't learn them based on packets seen on the network.

This won't prevent ARP spoofing, but ARP spoofing is something you can look out for. More advanced managed switches may have features to prevent ARP spoofing (if you are going down that route, ensure the switch can also prevent ND spoofing, otherwise you are going to get some nasty surprises.)

Alternatively you can use the VLAN capability present on managed switches. By putting two switch ports in different VLANs, they are completely separated. This does mean that you need a router capable of routing between tagged VLANs.

A drawback of this approach is that all internal traffic between individual hosts has to go through the router. The link between switch and router can quickly become a bottleneck.

High end switches are actually hybrid router and switch in the same chip. Whether it behaves as a switch or a router entirely depend on configuration. This can address the bottleneck. You can reconfigure your switch to behave as a router instead.

This is really the direction to go if you want as much isolation as possible. Forget about switches and only use routers. Don't buy any switch unless it can be reconfigured as a router. For many use cases this would be overkill.

kasperd
  • 30,455
  • 17
  • 76
  • 124