Network security, DHCP, and Linux

I'm setting up a webserver using Linux, Apache, and a fixed IP address.

Clients connecting will be Windows XP Pro. Their IP addresses are
assigned by DHCP.

The Linux security texts I've consulted talk about network security in
the context of fixed IPs. That is, things like tcpwrappers, xinetd,
apache configuration files, and packet filtering in the kernel all
imply that one goes about letting hosts connect to the server based on
their IP address.

What to do if the addresses are assigned by DHCP?

TIA.

On 2006-07-06, (E-Mail Removed) <(E-Mail Removed)> wrote:
> What to do if the addresses are assigned by DHCP?

Who is mantaining the dhcp server? You are, right? So you know which
IPs you can see an which one you should never ever see.

Davide

--
Don't worry about people stealing your ideas. If your ideas are any good,
you'll have to ram them down people's throats.
-- Howard Aiken

On 6 Jul 2006 10:16:05 -0700
(E-Mail Removed) wrote:
> Clients connecting will be Windows XP Pro. Their IP addresses are
> assigned by DHCP.
>
....
>
> What to do if the addresses are assigned by DHCP?

To get to know the pool of IP addresses assigned by DHCP.

M.

Davide Bianchi wrote:
> On 2006-07-06, (E-Mail Removed) <(E-Mail Removed)> wrote:
> > What to do if the addresses are assigned by DHCP?
>
> Who is mantaining the dhcp server? You are, right? So you know which
> IPs you can see an which one you should never ever see.

No, I work in a large organization and I don't maintain the DHCP
server.

I suppose (as e.g. per Mikhail Zotov's post) that I could just observe
the pattern of IPs assigned.

Or I assume the IPs assigned are always in the proper subnet, and I
could just let in the entire subnet.

> Davide
>
> --
> Don't worry about people stealing your ideas. If your ideas are any good,
> you'll have to ram them down people's throats.
> -- Howard Aiken

> I'm setting up a webserver using Linux, Apache, and a fixed IP address.
>
> Clients connecting will be Windows XP Pro. Their IP addresses are
> assigned by DHCP.
>
> The Linux security texts I've consulted talk about network security in
> the context of fixed IPs. That is, things like tcpwrappers, xinetd,
> apache configuration files, and packet filtering in the kernel all
> imply that one goes about letting hosts connect to the server based on
> their IP address.
>
> What to do if the addresses are assigned by DHCP?

You don't say whether the clients are only from some part of your LAN, or
anywhere on the Net.

If they're only from some part of the LAN, then you could admit that entire
subnet, as you said.

If they're anywhere on the Net, then obviously screening based on IP
addresses won't work. So you have to go to some kind of VPN: either they
connect via SSH, and tunnel HTTP over that; or you run an HTTPS server with
client verification; or they use some other VPN technology to connect to a
LAN gateway, and then connect from there to your server, which can accept
connections only from the LAN.

--
To reply by email, change "deadspam.com" to "alumni.utexas.net"

Andrew Schulman wrote:
> > I'm setting up a webserver using Linux, Apache, and a fixed IP address.
> >
> > Clients connecting will be Windows XP Pro. Their IP addresses are
> > assigned by DHCP.
> >
> > The Linux security texts I've consulted talk about network security in
> > the context of fixed IPs. That is, things like tcpwrappers, xinetd,
> > apache configuration files, and packet filtering in the kernel all
> > imply that one goes about letting hosts connect to the server based on
> > their IP address.
> >
> > What to do if the addresses are assigned by DHCP?
>
> You don't say whether the clients are only from some part of your LAN, or
> anywhere on the Net.

Good point. From part of the LAN.

> If they're only from some part of the LAN, then you could admit that entire
> subnet, as you said.

Is there any more accurate method than that---e.g. somehow querying the
DHCP server by some kind of hostname? (I must admit I know very little
about DHCP.)

Not that the subnet method isn't a "good enough" solution; just
wondering if I can do more than that.

Thanks for your reply.

Cheers.

<snip>

Please don't cross-post.

(E-Mail Removed) wrote:

> I'm setting up a webserver using Linux, Apache, and a fixed IP address.
>
> Clients connecting will be Windows XP Pro. Their IP addresses are
> assigned by DHCP.
>
> The Linux security texts I've consulted talk about network security in
> the context of fixed IPs.

Be careful - you should never rely on host based IP addresses - but you
should be able to rely on the network addresses of subnets where you
control the connection and routing to the machine checking the addresses.

> What to do if the addresses are assigned by DHCP?
>
You set up a default policy rejecting connections and you allow those
subnets in your DHCP access.

C.

In comp.security.firewalls (E-Mail Removed) wrote:
> The Linux security texts I've consulted talk about network security in
> the context of fixed IPs. That is, things like tcpwrappers, xinetd,
> apache configuration files, and packet filtering in the kernel all
> imply that one goes about letting hosts connect to the server based on
> their IP address.
> What to do if the addresses are assigned by DHCP?

Choose a local network. Filter fake traffic away on the zone border.
Allow this local network. Configure DHCP so that only addresses of this
local network are spread locally.

If you have to control physical access, do so - or use 802.1x or
something like that.

Yours,
VB.
--
"If you want to play with a piece of windows software that makes you
click all over the place, there's always minesweeper."

Kyle Stedman about "Personal Firewalls" in c.s.f

(E-Mail Removed) (06-07-06 10:16:05):

> I'm setting up a webserver using Linux, Apache, and a fixed IP address.
>
> Clients connecting will be Windows XP Pro. Their IP addresses are
> assigned by DHCP.
>
> The Linux security texts I've consulted talk about network security in
> the context of fixed IPs. That is, things like tcpwrappers, xinetd,
> apache configuration files, and packet filtering in the kernel all
> imply that one goes about letting hosts connect to the server based on
> their IP address.
>
> What to do if the addresses are assigned by DHCP?

You cannot authenticate users by their IP addresses, as they can be
faked easily. Instead, set up OpenVPN [1] and do your DHCP assignments
there. Still, every user has their own key, and you can authenticate by
that.

Better yet, use real, user-based authentication instead of host-based.
That's not only easier to set up, but also more secure and more
decentral (users don't have to work on a fixed terminal to do their
work; they can switch easily).


Regards,
E.S.

In comp.os.linux.networking (E-Mail Removed) wrote:
> I'm setting up a webserver using Linux, Apache, and a fixed IP address.

> Clients connecting will be Windows XP Pro [...] assigned by DHCP.

> The Linux security texts I've consulted talk about network security in
> the context of fixed IPs. [...]

> What to do if the addresses are assigned by DHCP?

You need to determine what your Security Policy needs to achieve, and
whether it is affected by the use of DHCP vs static IP addresses.

Until you've done this we cannot help you implement it.
Chris