Firewall Wizards mailing list archives
Re: Blocking at firewall via MAC address
From: Patrick Darden <darden () armc org>
Date: Mon, 17 Dec 2001 07:52:52 -0500 (EST)
It sounds like you need physical access to the switch to get logical access to the firewall. Anyone with physical access can pretty much do what they will, resetting the switch to factory defaults, reprogramming it from the console, creating a probe jack to monitor all traffic, etc. etc.. If the switch is in a secure area, then I wouldn't worry too much about the mac-based access. I'd rely on keys, guards, and security codes more than macs. -- --Patrick Darden Internetworking Manager -- 706.354.3312 darden () armc org -- Athens Regional Medical Center On Fri, 14 Dec 2001, B. Scott Harroff wrote:
Wizards, My apologies for not being more specific. Users at the partner network will have access to a room with a single switch which is directly connected to the hostile interface of the firewall (F1) in a secured area. The other interface of F1 fire is connected to a router via a x-over cable. F1 is building an IPSEC tunnel for certain inbound IP's on the hub/switch across a network into another firewall F2 which is further controlling access into another trusted network. There is no router between the laptops and F1. F1 will see the laptops MAC. I fully understand that MAC address can be changed or faked by any technical users. The partner's purpose is not to create an environment where it become physically impossible to have a non-authorized machine talk though the firewall (if someone can fake both the MAC and IP correctly). It's merely to add another security layer (another hurdle) which is challenging to overcome. Consider this: If you have the ability to change the MAC address, you still have to know what the correct MAC address is you need to fake - which will not be public information. Also, that MAC will have to correspond to a certain predetermined IP, another bit of non-public information. The combination of the two creates a relative cheap challenging hurdle. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Blocking at firewall via MAC address, (continued)
- Re: Blocking at firewall via MAC address Paul Robertson (Dec 16)
- Re: Blocking at firewall via MAC address black (Dec 15)
- Re: Blocking at firewall via MAC address B. Scott Harroff (Dec 15)
- Re: Blocking at firewall via MAC address Stephen P. Berry (Dec 16)
- Re: Blocking at firewall via MAC address Mark Brown (Dec 17)
- Re: Blocking at firewall via MAC address R. DuFresne (Dec 16)
- Re: Blocking at firewall via MAC address B. Scott Harroff (Dec 16)
- Re: Blocking at firewall via MAC address Ryan McBride (Dec 17)
- Re: Blocking at firewall via MAC address Paul Cardon (Dec 17)
- Re: Blocking at firewall via MAC address David Lang (Dec 17)
- Re: Blocking at firewall via MAC address Patrick Darden (Dec 17)
- potential network attacks Daniel Handley (Dec 14)
- Re: potential network attacks black (Dec 15)
- Re: potential network attacks Paul Robertson (Dec 16)
- RE: potential network attacks Wayne T Work (Dec 15)