Re: [fw-wiz] DHCP in a corporate MS environment - Security Risk?

From: Ben Nagy (ben@iagu.net)
Date: 01/29/03


From: "Ben Nagy" <ben@iagu.net>
To: "Luca Berra" <bluca@comedia.it>, <firewall-wizards@honor.icsalabs.com>
Date: Wed Jan 29 09:10:22 2003


----- Original Message -----
From: "Luca Berra" <bluca@comedia.it>
To: <firewall-wizards@honor.icsalabs.com>
Sent: Wednesday, January 29, 2003 12:23 AM
Subject: Re: [fw-wiz] DHCP in a corporate MS environment - Security Risk?

> On Sat, Jan 25, 2003 at 12:53:35AM +0100, Luca Berra wrote:
> >On Wed, Jan 22, 2003 at 09:21:25AM +0100, Ben Nagy wrote:
> >>Put me down as a "me too" for Wes's post.
> >>
> >>Static IP assignment for individual clients is insane. If you want
> >>strong(ish) machine-based security then look at switch port MAC filters;
> >>they're also insane from a management point of view but at least they
> >>actually offer a positive security delta.
> >
> >you will probably want to implement 802.1X, MAC filters are a nightmare
> >to manage.
>
> besides that mac address can be faked, and if the scenario is someone
> having access to the client workstation lan and trying to escalate
> privileges it is not even difficult to gather the correct ip/mac combo.
>
> L.

Switch port MAC filters mean that an attacker needs to be sitting on the
correct switch port, as well as being able to fake their MAC address (which,
although possible, isn't as easy with ethernet devices as it is with
802.11).

If we're assuming that our attacker can easily forge MAC addresses, then I
don't see why the well-known 802.1X attacks aren't just as dangerous when
we're using it on ethernet as when it's used on 802.11.

I'd suggest that against an attacker who can forge MAC addresses then
port-MAC filters are actually stronger than 802.1X, if only because you can
still apply physical security based on the patch panels, wall-points and
switch ports. I'm also happy to concede that it's a dumb way to try and
administer a network.

I'm interested in this push towards 802.1X on ethernet - I'm wondering if
someone has spent a longer time than I have thinking about risks and threat
scenarios?

Cheers,

ben



Relevant Pages

  • Re: About War Driving ..
    ... However, MAC filtering does not qualify as defense in depth, ... because the attacker can spoof a valid IP address. ... broadcasting the SSID doesn't hide a network, but just makes it show up ... machines in your building that you can control and check the MAC ...
    (Security-Basics)
  • Re: Authentication of a messages using a counter and a MAC
    ... used to do MAC of the message, so when the want to communicate the use ... Because you are taking a random walk, the odds of finding a collision ... the attacker build the data series they want ... forging the MAC for a single malicious packet." ...
    (sci.crypt)
  • Re: Authentication of a messages using a counter and a MAC
    ... I was thinking to have a MAC of size 3 byte, does it mean that i can ... Because you are taking a random walk, the odds of finding a collision ... the attacker build the data series they want ... forging the MAC for a single malicious packet." ...
    (sci.crypt)
  • Re: wireless help
    ... With some Mac and ip list restrict to your user only, ... if the attacker as an ip and a mac but cant use any services ... the victim, the victim, is out, and the attacker can get is connection. ... be encryption like VPN or IPSec, I suspect. ...
    (Security-Basics)
  • Re: Can a program prove its own integrity?
    ... > program he would have to find a way to calculate the right MAC for every ... If the attacker has access to the box, the MAC can be bypassed, ... get and build a simple program that does a SHA-1 hash of a file. ... Modify the program to calculate a hash of itself. ...
    (sci.crypt)