Firewall Wizards mailing list archives
Re: MAC blocking
From: "Patrick M. Hausen" <hausen () punkt de>
Date: Mon, 28 Nov 2005 22:25:55 +0100 (CET)
Hello! Eric wrote:
I would like to white list known MAC address on a subnet and block\deny any new MACs. If a new MAC is seen the firewall it should not allow that MAC to pass traffic out that segment\vlan. A similar concept to MAC address locking on Wifi AP's It would be great to have this as a feature on a protected segment of a firewall.
I would investigate switches with advanced management capabilities. E.g. certain Cisco products can talk to a "VLAN Membership Policy Server" to put hosts into VLANs depending on their MAC address. I don't know details, but even if they don't have a "don't forward any packets for unknown MAC addresses" policy, they must have a default VLAN for these unknown ones. Don't connect the default VLAN to anything - voila. Keep in mind that employing VLANs as a means of separating zones of different trust in a firewall implementation is still a subject of some discussion - it's not quite sure whether it is safe to assume that "VLAN hopping" is definitely impossible. HTH, Patrick M. Hausen Leiter Netzwerke und Sicherheit -- punkt.de GmbH Internet - Dienstleistungen - Beratung Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100 76137 Karlsruhe http://punkt.de _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- MAC blocking Eric Appelboom (Nov 28)
- Re: MAC blocking Patrick M. Hausen (Nov 28)
- Re: MAC blocking Chuck Swiger (Nov 28)
- Re: MAC blocking Patrick M. Hausen (Nov 28)
- Re: MAC blocking Chuck Swiger (Nov 28)
- Re: MAC blocking Paul D. Robertson (Nov 28)
- Re: MAC blocking Chris Byrd (Nov 28)
- Re: MAC blocking Patrick M. Hausen (Nov 28)