Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Blocking at firewall via MAC address

From: Ryan Russell <ryan () securityfocus com>
Date: Fri, 14 Dec 2001 10:53:34 -0700 (MST)
On Thu, 13 Dec 2001, B. Scott Harroff wrote:

Obvious stuff, and I'm sure I won't be the only one to mention it.


A business parter has a security requirement that only pre-identified and
approved laptops (identified by MAC address acting as a physical token) can
access a network behind a firewall.  Identification and blocking by IP
address alone is not acceptable as it could be too easily changed by a user
to match the IP address of an approved machine.


You can also change your MAC address to match an approved machine.  It's
slightly more trouble than changing IPs, but quite doable.



This could be done by placing a smart switch that only allows cerain MAC's
on certain ports to communicate with the firewall.


I know on Catalyst switches, you can make it so that only a particular MAC
address can send frames to a particular switch port.


The other (cost
preferable) option would be to have the firewall block communications from
all but machines with approved MAC and IP addresses.


This only works if there are no routers between the client machines and
the firewall.  Is the inside network flat?



Does anyone have a soltion on how to block via MAC address with OpenBSD?


I don't know if the new OpenBSD firewall code will do MAC addresses.  You
can do a cheap version of this by hard coding ARP entries, and killing
ARP, I suppose.

                                                Ryan

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: