Security Basics mailing list archives
RE: MAC level authentication or filtering
From: "Jay Archibald" <jay.archibald () comcast net>
Date: Fri, 8 Oct 2004 10:56:56 -0600
Mr. Nardoni If you have managed switches in your network that can use dynamic VLANs you have your answer. I will use Cisco products for an example since that is what I use. If you have dynamic VLANs enabled, the switch will search a database (TACACS) of mac-addresses to see what VLAN to assign to the port. You then populate the TACACs database with the "allowed mac-addresses" and their assigned VLAN which has access to your servers. When an unknown mac-address is connected to a switch, the switch will put it into a default VLAN. All you have to do is filter that VLAN. You may want to filter access for this VLAN to the Internet and nothing else. Additionally you can turn logging on the switch and send the syslogs to a syslog server. This will record everything that is being connected to the network and what VLAN is being assigned. This is a little configuration work up front, but it allows you to control the known, and protects you from the unknown. Regards, Jay Archibald | -----Original Message----- | From: David Nardoni [mailto:dnardoni () firstresponseconsulting com] | Sent: Thursday, October 07, 2004 09:54 | To: security-basics () securityfocus com | Subject: MAC level authentication or filtering | | | I need a solution that will allow me to prevent a user from | coming in to my | office and plugging in a laptop and gaining access to the network. | | I have users that are currently using thin clients to connect | to the main | server to do all their processing. If a legitimate user turns bad and | decides to bring in a system (laptop) from home and connect it to the | network and proceed to use their proper username and password | to gather | information from terminal services, I want to be able to | recognize that they | have plugged in an unauthorized system and keep them from | gaining access to | the network. | | I welcome all ideas no matter what vendor solution or no | matter how simple | or complex. If you need more info on the situation let me know. | | | Dave Nardoni CISSP | First Response Consulting Services, Inc. | dnardoni () firstresponseconsulting com | | --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.774 / Virus Database: 521 - Release Date: 10/7/2004 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.774 / Virus Database: 521 - Release Date: 10/7/2004
Current thread:
- MAC level authentication or filtering David Nardoni (Oct 07)
- Re: MAC level authentication or filtering Ajay (Oct 08)
- Re: MAC level authentication or filtering Jon Lawhead (Oct 08)
- Re: MAC level authentication or filtering Ajay (Oct 12)
- Re: MAC level authentication or filtering Jon Lawhead (Oct 08)
- RE: MAC level authentication or filtering Kurt (Oct 08)
- RE: MAC level authentication or filtering Jay Archibald (Oct 08)
- Re: MAC level authentication or filtering GuidoZ (Oct 08)
- Re: MAC level authentication or filtering Josh Mills (Oct 08)
- Re: MAC level authentication or filtering Jerry Eblin (Oct 08)
- <Possible follow-ups>
- RE: MAC level authentication or filtering Paris E. Stone (Oct 08)
- Fw: MAC level authentication or filtering GUs (Oct 08)
- RE: MAC level authentication or filtering Roy Sgan-Cohen (Oct 08)
- RE: MAC level authentication or filtering Mike (Oct 08)
- FW: MAC level authentication or filtering David Nardoni (Oct 08)
- RE: MAC level authentication or filtering Roy Sgan-Cohen (Oct 08)
- RE: MAC level authentication or filtering Jay Archibald (Oct 12)
- Re: MAC level authentication or filtering Ajay (Oct 08)