Public Ethernet Connections

Chuck Bearden cbearden at hpl.lib.tx.us
Fri May 29 09:44:58 EDT 1998 

I second Brian' suggestion to use DHCP.  It can dynamically allocate
IP addresses to new machines on the network, and I think it can supply
all the other necessary parameters for IP networking.  I believe that 
this is relatively easy to configure in Win95's networking screens.

However, anyone planning to let walk-in users plug their machines onto
the library's ethernet ought to take a very serious look at the
security implications of this.  

-Ethernet is in a sense a broadcast medium, meaning that packets from
 one machine to another are available to all machines on either the
 sending or receiving segments.  All one has to do is plug in a laptop
 with a packet sniffer on it, and you can have the usernames and
 passwords anyone sends out on the same segment.  I would strongly
 suggest making each wire that could be used with a non-library
 workstation plug directly into its own port on a switch, rather than 
 on a hub, in order to prevent the library from becoming a place to 
 harvest passwords.

-Even a switch (unless perhaps one of the newer router-like switches)
 won't prevent a malicious user from using Winnuke or other denial of
 service attacks against other users.  

-A walk-in user may also be able to use a network connection to
 exploit your IP- or IPX-based fileservers or even your Internet 
 hosts.  To prevent this kind of think, you might go so far as 
 to put an internalf firewall or screening router between public 
 wires and your own servers.  Make the packet filtering rules on
 these as stringent as those on your router or firewall to the
 Internet.

-Unless you take measures, walk-in ethernet users could use your
 network as a staging ground for SPAM.  To prevent this, you should
 block all traffic from your walk-in public network to port 25 (SMTP) 
 of remote hosts and of your own mail hosts.  You should also disable 
 relaying for that network on your own mail hosts, just to be on the 
 safe side.

On Thu, 28 May 1998, Brian Stone wrote:

> None of this is a problem if you use dhcp.
> 
> Brian
> 
> Bob Cherry wrote:
> 
> > This can create a real can of worms from a support perspective.  The reason
> > is that an Internet/Ethernet connection requires the PC to be configured
> > with an assigned (fixed) IP address.  Ethernet connections must also be
> > made to override dialup type connections.  It can be done and knowledgable
> > folks can do it quickly however, the layperson isn't prepared to handle
> > netmasks, default routers, static IP addresses, etc.  People will have to
> > reconfigure their networking to do this and you'll need to insure that each
> > ethernet address being used is unique.  You may want to look into the
> > logistics of managing this before you commit to it.
> >
> > Bob Cherry
> > Internet Network Consultant

Chuck Bearden
Network Services Librarian
Houston Public Library
Houston, TX  77002
713/247-2264 (voice)
713/247-1182 (fax)
cbearden at hpl.lib.tx.us

More information about the Web4lib mailing list