10. Potential problems

Where logging is purely in terms of IP and MAC addresses, there are dangers of placing absolute trust in the data gathered. Users assigned one particular IP address can trivially switch to another. This can (usually) easily be spotted through use of tools such as arpwatch. Spoofing MAC addresses is only marginally more difficult, but is harder to track. Logging the MAC addresses associated with each switchport, and any changes, is a possible solution for some setups, for instance if each switchport connects to a different student's room. Ports in public areas are more difficult, and if occurences of MAC-address spoofing become more frequent, then the long-term solution would be to go for a technology such as 802.1x, requiring the user to authenticate in order to gain network access.

For certain attacks, in which the attacking host is not interested in receiving a response, the source address of a packet may not even be an IP address actually used by the host. Egress filters at the boundary of your network and the University backbone prevent packets with source addresses other than those within your subnet allocation(s) from reaching other networks, but this is no defence against them spoofing another address within your allocation.

Up: Contents Previous: 9. Retention policy Next: 11. Further information