RE: MAC Authentication device

["Mike" <mike () superiorholidayadventures ca>]

Yes, of course Joann, you're right about that.. I can't believe I didn't
catch that!

I don't know if you can outright do this with any one device.  You
could, however, put a few simple ideas together that would make it very
hard (read, not worthwhile but still slightly possible) to circumvent:

1.  You could, again, lock down your DHCP server to only give out IP
addresses to MAC's that you specify.  As well, give them a "static" or
fixed IP bound to that MAC.  

2.  If you have a switch that is managed you could bind the known MAC of
the client to the port that they're wired to.  You may also be able to
configure the switch to ignore any MAC's that aren't in your access
list.  That would depend on your switch.

3.  Lastly, if you have a Linux (2.4 IPTables based) firewall you can
create an access list that only allows certain IP *and* MAC address
combinations access to the Internet.  You could also put this firewall
in front of your network and it would have the same effect.  Other
firewalls may allow you to do this, but I'm not familiar with them.

In and of themselves, these techniques may not do what you want, but
combined together I think it could achieve your goals.  They're all
relatively inexpensive as well.

Mike Fetherston

> -----Original Message-----
> From: Joann Jane [mailto:aladin168 () hotmail com]
> Sent: Wednesday, November 19, 2003 8:26 PM
> To: Mike
> Subject: RE: MAC Authentication device
>
> The consultants will be on-site, and my client want to be able to
control
> them by giving them a PCMCIA Network Card.
>
> We don't even allow wireless cards, these will be wired network cards.
>
> Any idea on how to ONLY allow authorized people to get on the network?
> Problem is that we can't control who can get on because whoever plug
into
> the jack can assign themselves an IP, which is mainly our concern.
>
> Thanks so much.
>
> MAC Spoofing, I know it can be done with SMAC,
> http://www.klcconsulting.net/smac right?
>
>
>
> > From: "Mike" <mike () superiorholidayadventures ca>
> > To: "aladin168" <aladin168 () hotmail com>,<security-
> basics () securityfocus com>
> > Subject: RE: MAC Authentication device
> > Date: Wed, 19 Nov 2003 15:03:39 -0500
> >
> > If you're trying to stop rogue devices from accessing your network
you
> > could configure your DHCP server to only hand out IP addresses to
MACs
> > that are in your access list.
> >
> > What kind of DHCP server are you using?
> >
> > Beware that MAC's can be spoofed.
> >
> > Mike Fetherston
> >
> > > -----Original Message-----
> > > From: aladin168 [mailto:aladin168 () hotmail com]
> > > Sent: Tuesday, November 18, 2003 4:54 PM
> > > To: security-basics () securityfocus com
> > > Subject: MAC Authentication device
> > >
> > >
> > >
> > > Hi,
> > >
> > >
> > >
> > > Can anyone recommend a device that will do MAC Address
Authentication
> > > before allowing a user/computer to connect to the network.  This
is
> > > different then MAC Address filtering, which allow or disallow
access
> > to
> > > the Internet for the the systems that are already on the network.
> > >
> > >
> > >
> > > I am trying to find a cheap device that will help me control
> > non-employees
> > > accessing our trusted network.
> > >
> > >
> > >
> > > Thanks,
> > >
> > > /Kyle
>
> -----------------------------------------------------------------------
-
> > --
> > > -
>
> -----------------------------------------------------------------------
-
> > --
> > > --
>
> _________________________________________________________________
> Groove on the latest from the hot new rock groups!  Get downloads,
videos,
> and more here.
http://special.msn.com/entertainment/wiredformusic.armx


---------------------------------------------------------------------------
----------------------------------------------------------------------------