Re: MAC blocking

["Patrick M. Hausen" <hausen () punkt de>]

Hello!

Eric wrote:

> I would like to white list known MAC address on a subnet and block\deny
> any new MACs.
> If a new MAC is seen the firewall it should not allow that MAC to pass
> traffic out that segment\vlan.
> A similar concept to MAC address locking on Wifi AP's
>
> It would be great to have this as a feature on a protected segment of a
> firewall.

I would investigate switches with advanced management capabilities.

E.g. certain Cisco products can talk to a "VLAN Membership Policy Server"
to put hosts into VLANs depending on their MAC address.

I don't know details, but even if they don't have a "don't forward
any packets for unknown MAC addresses" policy, they must have a
default VLAN for these unknown ones. Don't connect the default
VLAN to anything - voila.

Keep in mind that employing VLANs as a means of separating zones
of different trust in a firewall implementation is still a subject
of some discussion - it's not quite sure whether it is safe to assume
that "VLAN hopping" is definitely impossible.

HTH,

Patrick M. Hausen
Leiter Netzwerke und Sicherheit
-- 
punkt.de GmbH         Internet - Dienstleistungen - Beratung
Vorholzstr. 25        Tel. 0721 9109 -0 Fax: -100
76137 Karlsruhe       http://punkt.de
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards