WinGate Forums

[dataking]

Greetings,

is it possible for wingate to lock the asumed users to their MAC address in addition to the IP address, an option for which is already provided under user assumptions?

my setup uses Wingate DHCP to allocate IPs to users using MAC reservations, so every adapter on the network has a unique ID according to its physical location. the IP address is then binded to a username using asumptions. now at times i wish to block access by some users, i simply disable the user and the user is unable to access the wingate services. now there are a few malicious users who change their IP when blocked, to any other unblocked available IP and continue the usage without the wingate server knowing their true identity, i as the admin notice the illeagal IP hijacking through their behaviour and traffic usage. i also wish to point out that i do not wis to use Wingate Authentication as this would make the process rather complicated for certain users.

my solution was to install a stateful packet inspection firewall, with an option for MAC address filtering(which was very difficult to find-i know of only 3 products which are capable of this(8igns firewall, Visnetic Firewall and Sygate Personal Firewall PRO version 5.x), if you ahve any recomendations i would be more than glad to try them out!), by this i can block the MAC address of the computers i do not wish to have access to the Wingate machine, upon implementation of this strategy, sure enough, the malicious users gave up changing their IPs. as they were deined ALL access tot he wingate machine, which was fine with me, and the network ran in relative harmony, but the firewall created complications and excessive CPU usage ont he WIngate machine. this created a problem for me!

now my question/request : is there some way in wingate to make sure a certain IP address is only used by a certain MAC address, where the users are assumed by IP address which has been assigned to a specific MAC address by method of IP reservation using Wingate's DHCP server?

i hope i was clear in putting my question/problem across to you.

thank yoy very much in advance for your time and effort.

best regards,

Shayan

P.S.

i would also appriciate it if a solution for the so called Phantom Adapter Problem can be published too. if at all the problem i have been facing from the past 2 weeks can be called that!...upon disconnecion and reconnection of a dialup connection, wingate server is unable to detect the connection/stream any data to/from the internet to/from the clients. the wingate service has to be shut down, connection disconnected, manually reconnected using windows dial up networking, and service restarted for it to work again. upon disconnection the same thing happens. even when the wingate's internal dialer is used. i would appriciate it if you could acknowledge the refrence to my problem.

i am using Win2kProSP4 with all latest patches.

Please also note that i have been forced to disable ALL ENS functionality under wingate because some Windows 2000 patch causes the ENS plugin to cause Wingate.exe to chew up all available physical and virtual memory and bring the machine to a crashing almost half of a crawl!! since i am using a strict proxy based setup, this is not much of a bother to me, but i thought id let you know anyway.but certain java applets do require me to enable some ports on the NAT system, or if you can tell me how to open port 5000 for Vectracom's SMS sending Java applet or allow me to open ports 6891 to 6900 and also open ports needed for Yahoo Online Games applets to load, i would forever remain grateful to you. this i want WITHOUT using NAT...i believe the proxy based setup to be more loggable and controlable than the NAT solution.

[ChrisH]

Hello,

Your malicious users should show up as Guests in GateKeeper when they change their IP.

If they are Guests, you could block their access to a service by adding an advanced policy under the Guest account for that service. For each rogue user go to the Guest Policy - Advanced tab , select Specify which requests this user has rights for ,then select Add Filter , then Select criterion and then select This criterion is NOT met if then select from the first column Client MAC address , second column equal and then enter the MAC address in third column for the rogue user. Now if these users show up as Guests, they will not obtain rights to use the service. Note that the Default rights (System policies) must be set to are ignored under the Policy tab for the service.

Update:This worked when I tried it the first time but when I changed the users' static IP to something else, it didn't work. I checked the properties of the user in the activity window in GateKeeper (by right clicking) and WinGate was showing the wrong MAC address for this machine. So maybe connecting by proxy doesn't let WinGate know what the machines' MAC Address is...Hmmm although there is an address there. I was able to block access using this new address though. Changed the IP again - this time a new MAC address. Changed back to the second IP and the same MAC address as before. Anyway, this should work but something is up - maybe my setup. WG server XP, ver 5.0.7, test client machine WIN98 connect by proxy. Any one else able to duplicate this?

[dataking]

Greetings Chris!..this a lot for you input!...

a bit more background on the malicious users : theyre clever, they scan the network, see which systems are active, and use th IPs of known systems, now what this causes is creats an IP conflict on the network if the user is online, but if theyre not, then they can use their IP freely, and wingate thinks the IP belongs to the legit user!...they dont come up as guests!...i already have in all my service policies to only allow assumed or authnticated users.

and the reason wingate cannot see th correct MAC address or even block the mac addres of these users is that Wingate can only see the correct mac addres if and only if the IP address to that mac address has been assigned using Wingate DHCP..give it a try...u'll know what i mean. so if someone else takes the IP of a system which is NOT online, they can use the IP and the account on wingate for as long as the original user stays offline!

so you see my problem here.....wingate cant see the correct mac address unless it has been either authenticated or dhcp assigned. the malicious users are ofcourse changing their addresses manually, esentially making Wingate Blind!!!....

thanks and regards,

shayan

[ChrisH]

Shayan,

I see what you are up against now more clearly. Those clever users! If your managment can't enforce policies about changing or tinkering with computer settings, then I see one thing that you can do.

Rather than try to determine a malicious user's MAC address after he has changed his IP, use what you and WG already know - the MAC address of the legitimate holder of the hijacked IP. You could set up an advanced policy for each user so that the right to use the service is granted only if the MAC address is correct for that user. My logic is this; {I just hope it isn't flawed logic :)} WG DHCP has assigned an IP to user A. You then know what user A's MAC address is and can enter it into the advanced policy. User A has his machine turned off. Malicious user B finds that user A's IP is available and changes his IP to that of user A. He logs in and WG will assume it is user A because of IP address but will not grant access to the service because the MAC address does not match what is in the policy. You could include in the advanced policy that the MAC address .AND. the IP must be correct before access to service is granted.

My logic says this will work - but I may not have had enough coffee yet today! Unless the malicious user is extremely devious and swaps NIC's!

[dataking]

Greethings Chris!...

first off..the users are clever, but not THAT clever!...they dont know to spoof their MAC address yet, which is considerably more difficult to do as compared to changing ones IP!...as for changing NIC's, only NIC's whos MAC address have been authorized can access the wingate server.

as for your logic, it should work, i had the same idea, initially, but upon experimentation i found out that wingate bypasses the MAC address when assumptions are made by IP, it even SHOWS the MAC address of the legit user, and their IP even when the malicious user is using it!....the onyl way wingate picks up the correct/current MAC address is when it uses authentication, or when the DHCP server assigns the IP to the NIC/MAC.


thanks again for your suggestions!...i hope someone can help with this issue!..well...technically its not really an ISSUE as such, more like a convenience to be added to wingate, but what the hey!..ha!...

i thank you once again for the time and effort u put into this!...lets hope this information i provided can help you churn out somehting more!...

enjoy...

Shayan

[ChrisH]

Shayan,

Darn, I thought that would work. Sorry - I didn't try that out on my test machine first as I would have seen what you described. I guess it means a request then to the developers to enable that functionality. Very interesting problem. Good luck in trying to resolve it.

[dataking]

well, its all up to adrien and the gang now!.....

regards,

Shayan

[ChrisH]

I am now wondering what is the purpose then of the MAC criterion in the advanced policies if it can't be applied correctly? Can anyone from Qbik shed a light for those of us the dark? TIA

[mikebos]

Adrien and Pascal,

What is the status on MAC addresses under system policies.

It appears that under real conditions they don't work, or the help doesn't descibe in sufficient detail how to make it work and avoid conflict.

Please advise.

Regards
Mike Bos