Firewall Wizards mailing list archives
Re: Blocking at firewall via MAC address
From: Paul Robertson <proberts () patriot net>
Date: Sat, 15 Dec 2001 10:03:42 -0500 (EST)
On Fri, 14 Dec 2001, Patrick Darden wrote:
It's easy to do, but mac addresses are more easily spoofed than IP's--so I
"More easily" isn't accurate, "as easily" is.
don't know why you would want to do it. 3com cards come with a utility so you can change your mac to whatever you want. Linux has it built into the OS.
Even Win98 allows you to change your IP address, so spoofing is as easy.
Security based on MACs is not security at all.
That depends- first of all, it certainly reduces the attacker set. Secondly, if enabled on a switch on a per-port basis, if you don't know the address latched to that particular port, then even if you start sniffing passively for broadcast traffic to get target MACs, you don't have a valid source MAC to generate traffic from. Sure, you could go find a laptop that's allowed to connect, get its MAC address and set your address to that address, but that's a bunch of extra work that will stop casual abusers (and make an *very* good intent case should you prosecute an offender.) Some set of abusers will be stumped and not be able to do whatever the proscribed behaviour is. Since a sophisticated attacker will generally be a smaller subset of attackers, there may be value from incomplete protective measures - just because a cure isn't 100% effective doesn't mean it won't save lives. You'll certainly be able to log and alert on the m0r0n who plugs in his laptop and fires it up hoping to get a DHCP lease. Active steps to circumvent protection are always better than passive ones when you have to go to court- so there may just be significant insurance value in having such rules in place, even without latching on the switch (granted, that's not exactly security value, but it does provide a good business case in some instances.) If you latch MAC addresses to a port on a switch *and* do MAC filtering, the value is in limiting spoofing attacks on the local subnet. It's not protection measures which have failure modes which are generally the problem, it's a lack of understanding of the ramifications of the failure modes. When you know the failure modes, you can devise additional protection and deteciton processes that handle the edge cases. Anything that wacks the bulk of the attacker/abuser/unauthorized user set out of the picture has value in two ways, reducing the incidence of attack/abuse/misuse and in making sure that anything that trips the alarm after that is worth serious effort to track down and act on. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- potential network attacks Daniel Handley (Dec 13)
- Blocking at firewall via MAC address B. Scott Harroff (Dec 14)
- Re: Blocking at firewall via MAC address Patrick Darden (Dec 15)
- Re: Blocking at firewall via MAC address Paul Robertson (Dec 16)
- Re: Blocking at firewall via MAC address black (Dec 15)
- Re: Blocking at firewall via MAC address B. Scott Harroff (Dec 15)
- Re: Blocking at firewall via MAC address Stephen P. Berry (Dec 16)
- Re: Blocking at firewall via MAC address Mark Brown (Dec 17)
- Re: Blocking at firewall via MAC address R. DuFresne (Dec 16)
- Re: Blocking at firewall via MAC address B. Scott Harroff (Dec 16)
- Re: Blocking at firewall via MAC address Ryan McBride (Dec 17)
- Re: Blocking at firewall via MAC address Paul Cardon (Dec 17)
- Re: Blocking at firewall via MAC address David Lang (Dec 17)
- Re: Blocking at firewall via MAC address Patrick Darden (Dec 15)
- Blocking at firewall via MAC address B. Scott Harroff (Dec 14)
- Re: Blocking at firewall via MAC address Patrick Darden (Dec 17)