Re: Blocking at firewall via MAC address

[Gregg Siegfried <grs () binary com>]

Scott,
I am not sure I fully grasp your problem - Are these laptops on
the outside coming in, or on the inside going out?  Or are
you trying to achieve physical network security within a specific
perimeter?

If the packets are crossing a router, then the mac address is
no longer significant anyway - to the FW, the packets are all
going to have the mac address of the router.

If your partner is considering using the mac address as some sort
of authentication token, I'd discourage that.  If additional effort is
being made to use the mac address at the transport or application layers
as some sort of "unique identifier" or auth token, I'd doubly discourage
that.

Philosophically, I see at least two problems here:

1. By associating your security solely with a physical device (e.g.
a laptop, or pcmcia ethernet card) anyone that borrows, steals, or
imitates this (trivial) device gains all the privileges afforded to it.

2. There are mechanisms such as certificates, public key encryption
and authentication and the like that are designed for this type of
access control, and are much more secure and suitable for same.  If
a "hardware" token is important to the partner, a smart card can hold
the keys, and has the added benefit of requiring additional PIN access
to unlock.  (as well as life beyond hardware failure, upgrades, etc..)

Associating a particular port on a hub or switch with a specific mac
address to avoid people moving stuff around, or substituting devices
on a port is another problem, and many switches and hubs have this
sort of feature these days.  However, beyond the specifc "segment"
(a nebulous term when talking about switches, I suppose) the
device is on, the mac address is no longer typically available.
Not to mention this issue being only marginally related to "firewalls".

There are so many good ways to do authentication and access control these
days, unless I completely misunderstand your question, I can't imagine
why the proposed scheme would be appropriate.

-Gregg Siegfried
grs () binary com


On Thu, 13 Dec 2001, Scott Harroff wrote:

> A business parter has a security requirement that only pre-identified
> and approved laptops (identified by MAC address acting as a physical
> token) can access a network behind a firewall.  Identification and
> blocking by IP address alone is not acceptable as it could be too
> easily changed by a user to match the IP address of an approved
> machine.
>
> This could be done by placing a smart switch that only allows cerain
> MAC's on certain ports to communicate with the firewall.  The other
> (cost preferable) option would be to have the firewall block
> communications from all but machines with approved MAC and IP
> addresses.
>
> Does anyone have a soltion on how to block via MAC address with OpenBSD?






_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards