Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Have a question about Binding IP to MAC
  •  
Nakkoush

Messages: 8
Karma: 0
Send a private message to this user
Hi,
Is it possible with WFS to bind an IP to a MAC address by making the bound MAC address PC, which represent one user who constantly keeps on changing his IP address, impossible to work with any other IP address else than the one assigned to it by WFS?
I don't think "Lease" can do the above..

Regards,
NK
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
You can bind a specific DHCP IP address to a MAC address, yes. (See the manual). But as long as the user has administrative privileges on the PC, (s)he can always change IP addresses.

So:
1. make sure the user is a 'restricted' user on the computer, so he is not allowed to change network settings
2. assign a specific IP address to that computer
3. block/allow whatever you want for that IP address
  •  
Nakkoush

Messages: 8
Karma: 0
Send a private message to this user
winkelman wrote on Mon, 03 November 2008 18:31


1. make sure the user is a 'restricted' user on the computer, so he is not allowed to change network settings


In my case this is happening with private PCs where it is not possible to restrict anybody.

I simply need to strictly bind a computer to an IP address; it is an option which i had used successfully for long time with my previous router before deciding to dump it and go for KWF Confused
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
See the manual: http://www.kerio.eu/manual/kwf/en/sect-dhcp.html

Note: if the user is Admin on the computer, he/she can still very easily assume another IP address by turning off DHCP on the computer and manually configuring the IP address. No way around that if you don't have control over the computer.
  •  
Nakkoush

Messages: 8
Karma: 0
Send a private message to this user
winkelman wrote on Tue, 04 November 2008 16:40

No way around that if you don't have control over the computer.


Does it mean that my Kerio Winroute firewall product can only control its hosts based on their IP addresses?! if I understood you properly, it means that all KWF Traffic policy, bandwidth limiter, internet time policy, etc.. are simply overruled when any of my users changes his/her assigned IP address? Very Happy

Shouldn't be at least a workaround maybe through the authentication which can put a limit for my tricky users? Unless KWF is ment to be installed in a convent where the users are only nuns and priests Laughing

FYI, KWF is mapped to an active directory in Windows server 2008 AD where all my users and groups resides.

I have both KWF manuals printed in front of me: "the administrator's guide" as well "step by step configuration"

Regards

[Updated on: Tue, 04 November 2008 17:31]

  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
Well... it's a little more complicated then that.

You could restrict the entire network to certain limitations. But if you want to distinguish between one PC and another, you're going to have to use something like the host name or IP address. If you're not in control over those PC's, then yes: users can change the host name or IP address and the could somehow bypass your settings. Mind you: this all depends on how you want to setup your rules.

Even if you could filter based on MAC address, it's fairly easy to change your MAC address, so even that wouldn't stop your users from bypassing set rules.

This has nothing to do with limitations in KWF, it's just the way computers/networks work.

If you want to do 'complicated' things, you'd better be a very good expert at networks/KWF...
  •  
Nakkoush

Messages: 8
Karma: 0
Send a private message to this user
winkelman wrote on Tue, 11 November 2008 15:33


If you want to do 'complicated' things, you'd better be a very good expert at networks/KWF...


Winkelman,
Thank you for your help.
I cannot say if I am a good or bad network expert; but I think I am ok.. if you can simply give me some hints about how to complicate such scenario to make it tight for people trying to alter settings on their PCs..

Any help is always highly appreciated.
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
If you cannot fully control the clients computers, you cannot reliably distinguish one from the other, so you cannot have different policies for different computers and be sure they are applied as they should.

What you can do is:


  • Bind specific IP-addresses to specific MAC-addresses in the DHCP server, apply rules based on the now 'fixed' IP-address and hope and prey your users don't know how to manually change/set their computer's IP address
  • Make one set of rules that apply to every computer on a specific IP-subnet with no exceptions. There's now no way for clients to avoid these rules, but you cannot have different rules for different computers within the same IP segment. (Clients changing their IP address will still have the same rules applied and clients changing their subnet can't connect to the Internet at all anymore.)
  • Only allow any passage through the firewall after clients have authenticated with username/password. This way you can give users as opposed to PC's access or not to websites, protocols, etc. Problem here is how to prevent users from telling each other their passwords so they still have different access then strictly speaking allowed
  • Make a combination of the above (which makes things very complicated very quickly)

[Updated on: Tue, 11 November 2008 19:08]

  •  
Nakkoush

Messages: 8
Karma: 0
Send a private message to this user
Good Idea, now I understand what you mean by mastering KWF.

Much appreciated!
Previous Topic: Speedtouch 511e + KWF + HUB + client PC's is it possible?
Next Topic: Kerio Firewall
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Oct 22 06:43:38 CEST 2017

Total time taken to generate the page: 0.00431 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.