Re: Blocking at firewall via MAC address

["Stephen P. Berry" <spb () meshuggeneh net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


B. Scott Harroff writes:

> I fully understand that MAC address can be changed or faked by any technical
> users. The partner's purpose is not to create an environment where it become
> physically impossible to have a non-authorized machine talk though the
> firewall (if someone can fake both the MAC and IP correctly).  It's merely
> to add another security layer (another hurdle) which is challenging to
> overcome.  Consider this: If you have the ability to change the MAC address,
> you still have to know what the correct MAC address is you need to fake -
> which will not be public information.  Also, that MAC will have to
> correspond to a certain predetermined IP, another bit of non-public
> information.  The combination of the two creates a relative cheap
> challenging hurdle.

Security quote experts unquote can be a fairly unimaginative lot.  If
you ask a question with a pat answer (like yours nominally is), 
you'll get a dozen variations on the pat answer and roughly zero
useful input.

Okay.  We all realise that MAC address filtering presents an annoyance
rather than a serious impediment to the dedicated and technically
savvy evildoer.  You've also specified that you'd like a solution built
on an OpenBSD box.  Here's my take on the situation:

Since MAC address filtering makes a fairly brittle enforcement barrier,
don't use a mechanism like a `secure' switch or static ARP tables to
enforce it.  Post a public policy saying that lusers are not authorised
to add machines to the network (with appropriate verbiage, additional
caveats, and warnings of dire retribution, as per the rest of your
security and/or acceptable use policies).  Firewall based on IP only.
On your OpenBSD box, run a little daemon that uses libpcap (or equivalent)
to look at all the traffic coming from the subnet, with a simple filter
rule that matches all traffic not originating from your known ether/IP
pairs.  Have it page you whenever it sees anything.  This won't prevent
initial exploitation, but neither will port-level security on a secure
switch.

If you use a mechanism like a secure switch, an evildoer will get
immediate feedback on your enforcement policy, which will aid them
in circumventing it.  Not supplying evildoers with this information
allows you to make the most of a policy with limited (as everyone
appears to agree) potential for machine-only enforcability.

There are an awful lot of things like MAC address auditing that provide
limited potential for creating bulletproof automatic enforcement.  Most
of them are fine sources of passive intelligence, however.  Take what
you can get.





- -Steve


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.3 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8G5ptG3kIaxeRZl8RAp71AJ9cLtcf6+UdLiba2r5/XJ9AfWxceACg2yCV
DVPSaWIK8AON9PWBXN0AtFY=
=Dupb
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards