Firewall Wizards mailing list archives
Re: Blocking at firewall via MAC address
From: "Stephen P. Berry" <spb () meshuggeneh net>
Date: Sat, 15 Dec 2001 10:46:07 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 B. Scott Harroff writes:
I fully understand that MAC address can be changed or faked by any technical users. The partner's purpose is not to create an environment where it become physically impossible to have a non-authorized machine talk though the firewall (if someone can fake both the MAC and IP correctly). It's merely to add another security layer (another hurdle) which is challenging to overcome. Consider this: If you have the ability to change the MAC address, you still have to know what the correct MAC address is you need to fake - which will not be public information. Also, that MAC will have to correspond to a certain predetermined IP, another bit of non-public information. The combination of the two creates a relative cheap challenging hurdle.
Security quote experts unquote can be a fairly unimaginative lot. If you ask a question with a pat answer (like yours nominally is), you'll get a dozen variations on the pat answer and roughly zero useful input. Okay. We all realise that MAC address filtering presents an annoyance rather than a serious impediment to the dedicated and technically savvy evildoer. You've also specified that you'd like a solution built on an OpenBSD box. Here's my take on the situation: Since MAC address filtering makes a fairly brittle enforcement barrier, don't use a mechanism like a `secure' switch or static ARP tables to enforce it. Post a public policy saying that lusers are not authorised to add machines to the network (with appropriate verbiage, additional caveats, and warnings of dire retribution, as per the rest of your security and/or acceptable use policies). Firewall based on IP only. On your OpenBSD box, run a little daemon that uses libpcap (or equivalent) to look at all the traffic coming from the subnet, with a simple filter rule that matches all traffic not originating from your known ether/IP pairs. Have it page you whenever it sees anything. This won't prevent initial exploitation, but neither will port-level security on a secure switch. If you use a mechanism like a secure switch, an evildoer will get immediate feedback on your enforcement policy, which will aid them in circumventing it. Not supplying evildoers with this information allows you to make the most of a policy with limited (as everyone appears to agree) potential for machine-only enforcability. There are an awful lot of things like MAC address auditing that provide limited potential for creating bulletproof automatic enforcement. Most of them are fine sources of passive intelligence, however. Take what you can get. - -Steve -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.3 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8G5ptG3kIaxeRZl8RAp71AJ9cLtcf6+UdLiba2r5/XJ9AfWxceACg2yCV DVPSaWIK8AON9PWBXN0AtFY= =Dupb -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- potential network attacks Daniel Handley (Dec 13)
- Blocking at firewall via MAC address B. Scott Harroff (Dec 14)
- Re: Blocking at firewall via MAC address Patrick Darden (Dec 15)
- Re: Blocking at firewall via MAC address Paul Robertson (Dec 16)
- Re: Blocking at firewall via MAC address black (Dec 15)
- Re: Blocking at firewall via MAC address B. Scott Harroff (Dec 15)
- Re: Blocking at firewall via MAC address Stephen P. Berry (Dec 16)
- Re: Blocking at firewall via MAC address Mark Brown (Dec 17)
- Re: Blocking at firewall via MAC address R. DuFresne (Dec 16)
- Re: Blocking at firewall via MAC address B. Scott Harroff (Dec 16)
- Re: Blocking at firewall via MAC address Ryan McBride (Dec 17)
- Re: Blocking at firewall via MAC address Paul Cardon (Dec 17)
- Re: Blocking at firewall via MAC address David Lang (Dec 17)
- Re: Blocking at firewall via MAC address Patrick Darden (Dec 15)
- Blocking at firewall via MAC address B. Scott Harroff (Dec 14)
- Re: Blocking at firewall via MAC address Patrick Darden (Dec 17)