RE: prohibiting visitors from connecting to network

["Brian Loe" <knobdy () stjoelive com>]

Doh! I thought I said that! Oh well, I do like the options you put forward
though.

At any rate, MAC address filtering combined with a login scheme of some kind
- RADIUS is free enough, depending on your situation - should prove to be a
good start. No SINGLE security option is going to work for a determined
attacker, or someone who gets physical access to a trusted resource. It's
always best to start SOMEWHERE and build upon it.

> -----Original Message-----
> From: Terence Summers [mailto:tsummers () infosecuritylab com] 
> Sent: Tuesday, October 25, 2005 6:07 AM
> To: security-basics () securityfocus com
> Subject: Re: prohibiting visitors from connecting to network
>
> In terms of network security MAC filtering makes almost no 
> sense. Even basic routers and network cards can modify their 
> MAC addresses. There are effective hacker tools to attack 
> networks with only this kind of protection.
>
> Terence
> infosecuritylabs.com
>
> > Why not limit DHCP to known MAC addresses. The 
> administrative costs of 
> > this might be pretty high at first, but you could 
> eventually work out 
> > an automated system for adding/removing machines. That's the only 
> > "free"
> > option
> > that I can think of.
> >
> > Even then, though, I believe you can spoof MAC addresses so...
> >
> > > -----Original Message-----
> > > From: Alexander Suhovey [mailto:asuhovey () mtu-net ru]
> > > Sent: Thursday, October 20, 2005 2:01 PM
> > > To: 'Cesar Diaz'; security-basics () securityfocus com
> > > Subject: RE: prohibiting visitors from connecting to network
> > >
> > > > What I'm looking for is a way to secure DHCP so that only our 
> > > > laptops/workstations can get a DHCP address.
> > > > I was thinking of something like EAP used for remote access with 
> > > > certificates to keep computers without a certificate from
> > > receiving an
> > > > IP address, but I can find any information on implementing this.