Firewall Wizards mailing list archives
Re: Blocking at firewall via MAC address
From: Gregg Siegfried <grs () binary com>
Date: Fri, 14 Dec 2001 09:54:00 -0800 (PST)
Scott, I am not sure I fully grasp your problem - Are these laptops on the outside coming in, or on the inside going out? Or are you trying to achieve physical network security within a specific perimeter? If the packets are crossing a router, then the mac address is no longer significant anyway - to the FW, the packets are all going to have the mac address of the router. If your partner is considering using the mac address as some sort of authentication token, I'd discourage that. If additional effort is being made to use the mac address at the transport or application layers as some sort of "unique identifier" or auth token, I'd doubly discourage that. Philosophically, I see at least two problems here: 1. By associating your security solely with a physical device (e.g. a laptop, or pcmcia ethernet card) anyone that borrows, steals, or imitates this (trivial) device gains all the privileges afforded to it. 2. There are mechanisms such as certificates, public key encryption and authentication and the like that are designed for this type of access control, and are much more secure and suitable for same. If a "hardware" token is important to the partner, a smart card can hold the keys, and has the added benefit of requiring additional PIN access to unlock. (as well as life beyond hardware failure, upgrades, etc..) Associating a particular port on a hub or switch with a specific mac address to avoid people moving stuff around, or substituting devices on a port is another problem, and many switches and hubs have this sort of feature these days. However, beyond the specifc "segment" (a nebulous term when talking about switches, I suppose) the device is on, the mac address is no longer typically available. Not to mention this issue being only marginally related to "firewalls". There are so many good ways to do authentication and access control these days, unless I completely misunderstand your question, I can't imagine why the proposed scheme would be appropriate. -Gregg Siegfried grs () binary com On Thu, 13 Dec 2001, Scott Harroff wrote:
A business parter has a security requirement that only pre-identified and approved laptops (identified by MAC address acting as a physical token) can access a network behind a firewall. Identification and blocking by IP address alone is not acceptable as it could be too easily changed by a user to match the IP address of an approved machine. This could be done by placing a smart switch that only allows cerain MAC's on certain ports to communicate with the firewall. The other (cost preferable) option would be to have the firewall block communications from all but machines with approved MAC and IP addresses. Does anyone have a soltion on how to block via MAC address with OpenBSD?
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Blocking at firewall via MAC address Bill_Royds (Dec 15)
- <Possible follow-ups>
- Re: Blocking at firewall via MAC address Gregg Siegfried (Dec 15)