On Fri, Nov 28, 2014 at 03:27:38PM +0100, Martin Hanson wrote: > > theoretically this is possible, but only if the original machine holding > > the ip was down. just as a nameserver converts to an ip, the ip is converted > > to a MAC-address, which is associated with the NIC. if you want you can > > permantly associate an ip with a mac, that way another machine cannot use > > that ip address, even if the rightful holder is down. see arp(8). > > But wouldn't that be very easy to break? > > First I would scan the network for MACs and matching IPs, then I would > spoof one at a time until I am out. > > How does one secure against MAC/IP spoofing? Is there a way to prevent this. > You secure againt it by segmenting your untrusted machines/users from your trusted platforms. Three ways:
* Separate Ethernet segments. * Separate VLANs. They work just like separate segments. * Use IPSec for your trusted platforms. If you don't trust "Joe" not to spoof his IP address or his MAC, keep him and his platform on an untrusted tier. If he authenticates, then you can permit him the authority that particular authentication permits. Regardless what IP address or MAC address he's using.
