how to detect that users are stealing internet connection?

[zOOz]

i have router connected to my lan. some users from lan are allowed to to go outside, some not. users who are allowed to go outside create proxy o something like NAT and let others from lan (not allowed to go outside) users ti use internet connection.
so i wonder to know, how can i detect it? how to stop it, without disconnecting them physically?

thanks for help

[Ateo]

Are we talking wireless or wired?

[robdd]

How are your users getting their IP addresses ? You could use the sub-net the user is on to decide whether to allow them internet access or not - e.g. users with IPs of 192.168.1.x are allowed internet access while users with IPs of 192.168.0.x are barred. You should be able to configure this using the routing tables (is the router a Gentoo box ?).

If you are using DHCP there are ways of detecting which user is connecting (e.g. I think you can use the MAC address of the network card) and you could allocate an IP address in the "permitted" or "barred" range accordingly.

Another way would be to make users who want internet access log in to, say, a web page and provide a password. The web server could then run a script to allow internet access to that IP. This would avoid the problem of collecting MAC address, but is a lot more work to setup.

HTH
_________________
Rob Diamond
Gentoo Hack, hack, hacker
Sydney, Australia

[zOOz]

i'm using MAC identification and other things to identify my users.

e.g. user 192.168.1.29 get internet from me oficially, but user 192.168.1.3 dont get internet from me and he is my LAN user w/o internet. so, user 192.168.1.29 creates proxy or something like NAT and gives internet connection to user 192.168.1.3.
how to detect that kind of stealing? how to stop that?

[zOOz]

[vonhelmet]

[zOOz]

[think4urs11]

If you have Cisco switches you could look into implementing Private VLANs.
By that every traffic (even within the same subnet) goes through an designated device (normally the gateway) where the traffic could be filtered accordingly to your needs.

HTH
T.
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself

[robdd]

If your users are clever enough to set up NAT for one another then I can't see how you can stop them except by having physically separate LAN segments. Even then you couldn't allow the two LANs to talk to each other. You would also have to restrict physical access to the "Internet" LAN, otherwise a "non-Internet" user could connect in with an unused IP address, and his friend could NAT for him just like before.

Your users are just too smart
_________________
Rob Diamond
Gentoo Hack, hack, hacker
Sydney, Australia

[think4urs11]

@robdd:
I agree with you, his users are more 'sophisticated' than the average ones.

OTOH by
- disallowing traffic from unkown/unused ip addresses
- filter on known MAC addresses
- disallow any P2P traffic between the workstations
- filtering out any kind of VPN traffic
- implementing L7 traffic control
- setup a DMZ with authenticating proxy
- ...

he could raise the barrier above the 'cleverness' of his users

The better way would be of course to think (thirst!) about a real security concept and not longer fight symptoms.
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself

[Twink]

wouldn't the TTL be one lower on a box that NAT/proxys through another?
you could also occasionally scan known machines for open proxies....

[djnauk]

If you use DHCP to issue IP addresses, there is an option to tell clients to disable IP forwarding (i.e. creating NAT). Would stop NAT, but not proxies.