Firewall Wizards mailing list archives
Re: Blocking at firewall via MAC address
From: Ryan Russell <ryan () securityfocus com>
Date: Fri, 14 Dec 2001 10:53:34 -0700 (MST)
On Thu, 13 Dec 2001, B. Scott Harroff wrote: Obvious stuff, and I'm sure I won't be the only one to mention it.
A business parter has a security requirement that only pre-identified and approved laptops (identified by MAC address acting as a physical token) can access a network behind a firewall. Identification and blocking by IP address alone is not acceptable as it could be too easily changed by a user to match the IP address of an approved machine.
You can also change your MAC address to match an approved machine. It's slightly more trouble than changing IPs, but quite doable.
This could be done by placing a smart switch that only allows cerain MAC's on certain ports to communicate with the firewall.
I know on Catalyst switches, you can make it so that only a particular MAC address can send frames to a particular switch port.
The other (cost preferable) option would be to have the firewall block communications from all but machines with approved MAC and IP addresses.
This only works if there are no routers between the client machines and the firewall. Is the inside network flat?
Does anyone have a soltion on how to block via MAC address with OpenBSD?
I don't know if the new OpenBSD firewall code will do MAC addresses. You can do a cheap version of this by hard coding ARP entries, and killing ARP, I suppose. Ryan _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Blocking at firewall via MAC address, (continued)
- Re: Blocking at firewall via MAC address black (Dec 15)
- Re: Blocking at firewall via MAC address B. Scott Harroff (Dec 15)
- Re: Blocking at firewall via MAC address Stephen P. Berry (Dec 16)
- Re: Blocking at firewall via MAC address Mark Brown (Dec 17)
- Re: Blocking at firewall via MAC address R. DuFresne (Dec 16)
- Re: Blocking at firewall via MAC address B. Scott Harroff (Dec 16)
- Re: Blocking at firewall via MAC address Ryan McBride (Dec 17)
- Re: Blocking at firewall via MAC address Paul Cardon (Dec 17)
- Re: Blocking at firewall via MAC address David Lang (Dec 17)
- Re: Blocking at firewall via MAC address black (Dec 15)
- Re: Blocking at firewall via MAC address Patrick Darden (Dec 17)
- potential network attacks Daniel Handley (Dec 14)
- Re: potential network attacks black (Dec 15)
- Re: potential network attacks Paul Robertson (Dec 16)
- RE: potential network attacks Wayne T Work (Dec 15)
- RE: potential network attacks John Adams (Dec 16)