Security Basics mailing list archives
Re: MAC level authentication or filtering
From: Ajay <abra9823 () mail usyd edu au>
Date: Sat, 9 Oct 2004 12:14:11 +1000
The point i was trying to make is that all schemes can be subverted. There have been a number of posts about using MAC-address filtering or combining MAC-addresses and IP-addresses and so on. But as with any security solution, the scheme will not be foolproof. Just picking a vendor product and installing it is not the solution to your problems. You need to understand who it is that you are trying to protect the network from. If you are concern is the average user (with little knowledge of MAC spoofing), then by all means use MAC-address filtering or a DHCP server that assigns an IP only for a fixed set of MAC addresses. But you must remember it is not really that hard to change your MAC address, its trivial and there are plenty of programs on the web that do it for you - and you dont even have to restart your computer. If your concern is a legitimate user of the system, who perhaps has a workstation from which he can legitimately access the network, then its trivial for him to take the workstation's MAC and IP address (MAC itself would suffice) and use that on his laptop. A login and password in this case would not provide any help, since a legitimate user would probably have an assigned username and password. And MAC-filtering or any other tool mentioned before would not help either. Using another computer's MAC address is something that even a non-hacker user may un-intentionally do. at my university a student was having trouble accessing the Internet. so he walked over to his firend's computer, looked at his MAC address and said he would try with that address since he had read somewhere that MAC address may cause a problem like that. Note that the student had no intention of taking down his friend's computer - he was merely ignorant of the consequences of his action. coming back to my original point - schemes can be subverted and you need to examine what it is that you are trying to protect and who you are trying to protect it from. most of the solutions presented earlier can be quite easily subverted.
I have users that are currently using thin clients to connect to the main server to do all their processing. If a legitimate user turns badanddecides to bring in a system (laptop) from home and connect it to the network and proceed to use their proper username and password togatherinformation from terminal services, I want to be able to recognizethatthey have plugged in an unauthorized system and keep them from gainingaccessto the network.
like i said earlier, if a legitimate user used an exisiting workstation's MAC address, the products mentioned earlier will not help. cheers -- Ajay Brar, CS Honours 2004 Smart Internet Technology Research Group ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
Current thread:
- MAC level authentication or filtering David Nardoni (Oct 07)
- Re: MAC level authentication or filtering Ajay (Oct 08)
- Re: MAC level authentication or filtering Jon Lawhead (Oct 08)
- Re: MAC level authentication or filtering Ajay (Oct 12)
- Re: MAC level authentication or filtering Jon Lawhead (Oct 08)
- RE: MAC level authentication or filtering Kurt (Oct 08)
- RE: MAC level authentication or filtering Jay Archibald (Oct 08)
- Re: MAC level authentication or filtering GuidoZ (Oct 08)
- Re: MAC level authentication or filtering Josh Mills (Oct 08)
- Re: MAC level authentication or filtering Jerry Eblin (Oct 08)
- <Possible follow-ups>
- RE: MAC level authentication or filtering Paris E. Stone (Oct 08)
- Fw: MAC level authentication or filtering GUs (Oct 08)
- RE: MAC level authentication or filtering Roy Sgan-Cohen (Oct 08)
- RE: MAC level authentication or filtering Mike (Oct 08)
- FW: MAC level authentication or filtering David Nardoni (Oct 08)
(Thread continues...)
- Re: MAC level authentication or filtering Ajay (Oct 08)