Re: arp and mac addresses
by tirwhan (Abbot) on Dec 19, 2005 at 16:50 UTC
|
This is an extremely weak method of authentication, MAC addresses can be spoofed easily. You can usually notice the spoof if you've got your network monitoring set up correctly, but that depends on network topology as well. Also, if the data is confidential you shouldn't be sending it across an untrusted network unencrypted. I would suggest using ssh for this (since the recipient machine is a Linux box which has an ssh daemon already installed), that gives you host authentication for free with the encrypted channel.
Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it. -- Brian W. Kernighan
| [reply] |
Re: arp and mac addresses
by Hue-Bond (Priest) on Dec 19, 2005 at 16:48 UTC
|
If the data is confidential, you not only need to authenticate the peers, but to encrypt the data too. The first that comes to my mind is Net::SSH. Oh, and beware that although you could use ARP addresses, they can be spoofed too. If you stick with samba, you'll have to live with the fact that the confidential data go unencrypted through the wire.
| [reply] [d/l] |
Re: arp and mac addresses
by traveler (Parson) on Dec 19, 2005 at 17:18 UTC
|
Both Win32 and Linux have IPSec. This allows for encryption and host authentication. MACs are, as pointed out above, useless for authentication. | [reply] |
Re: arp and mac addresses
by Perl Mouse (Chaplain) on Dec 19, 2005 at 16:52 UTC
|
What's the point? If your network can't be trusted, that is, there might be someone masquerading, there's no point sending over the file unencrypted. If someone can masquerade, that someone can just snoop the network. Which means that your confidential data can be read anyway.
Samba allows for a username and password to do some authentication at mount time, but I do not know how that password is being exchanged.
I wouldn't do any exchange of data using samba or NFS if my network can't be trusted - in such a case, I'd use ssh or something similar.
| [reply] |
Re: arp and mac addresses ( domain or workgroup environment?)
by ybiC (Prior) on Dec 19, 2005 at 17:36 UTC
|
Does your Windows networking environment employ domain authentication, or workgroup authentication?
If the former, and both your win32 PC and Linux Samba box are domain members, then I suspect that your concerns may be unfounded. In the NT domain scheme, hosts are authenticated as well as users, so the potential bad person would have to spoof the IP address *and* have hacked the automatic-regularly-changed machine account password. So you would be reasonably secure in simply doing an SMB/CIFS copy of your already-encrypted file(s) to the Linux box.
But if you're in a Microsoft workgroup environment, then I'd probably concur with fellow monks suggesting SSH as likely being safer than SMB/CIFS.
Fwiw, MAC spoofing is called LAA - "locally administered address".
cheers,
ybiC
settled for somewhat less than Perl Adept
(it's pronounced "why-bick")
| [reply] |
Re: arp and mac addresses
by fluffyvoidwarrior (Monk) on Dec 19, 2005 at 16:57 UTC
|
Yes my data is encrypted. What I'm looking for though is a way to shut my program down if I can't find my linux box and be reasonably sure that it actually IS the linux box ... | [reply] |
|
And the only way to do that is to have a unique identifier on the remote (Linux) box which you can check in a secure way, i.e. in a way that can't be snooped or spoofed. So you need to encrypt that identifier exchange as well, which is a lot of work, only ssh already does it for you.
Inventing your own secure transmission channels is always a bad idea unless you really know what you're doing.
Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it. -- Brian W. Kernighan
| [reply] |
|
yes, I had in mind inventing my own secure transmission thingy but it started to get a bit sticky - using a unique identifier on the linux box as you suggest. Like you say a bit of a pain. It seems the consensus is that ssh is the way to go then and arp and MAC addresses isn't - even if my data is encrypted I don't want it poked at by just anyone. Thanks everyone. 2 mins of monkly advice is worth 2 weeks of my arsing about.
| [reply] |
Re: arp and mac addresses
by Ultra (Hermit) on Dec 20, 2005 at 13:29 UTC
|
| [reply] |