RE: [fw-wiz] Link level security with static arp tables
From: Ben Nagy (ben_at_iagu.net)
Date: 10/14/03
- Previous message: Damian Gerow: "[fw-wiz] Spamming, 'hidden' mail server"
- In reply to: Debian User: "[fw-wiz] Link level security with static arp tables"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <firewall-wizards@honor.icsalabs.com> Date: Tue, 14 Oct 2003 11:55:22 +0200
> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
> [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf
> Of Debian User
> Sent: Sunday, October 12, 2003 2:32 PM
> To: firewall-wizards@honor.icsalabs.com
>
> Hello,
>
> Problem:
>
> [ INET ] ---- <eth1> [ NAT GATEWAY ] <eth0> --- [ LOCAL NET,
> 50 clients ]
>
> I need to limit access to the gateway according to allowed
> MACs, ie Ethernet
> frames from allowed MAC addresses are forwarded to and fro in
> the gateway,
> but others will be dropped (and logged if possible).
What security problem are you actually solving? "I need to limit access
according to MAC address" is a techical requirement, but where did it come
from?
I'm just curious because if it's something like "Only known and authorised
machines shall be able to pass traffic through the gateway" then you have
issues, given how easy it is to spoof MAC addresses. If I wanted to attack
your setup I would connect, get a list of all the PC MAC addresses (by
listening to broadcasts, or by ettercapping your gateway) and then just pick
one that was quiet...it gets much worse if you happen to be using any
wireless behind the gateway.
> I could disable arp on eht0 and use static arp tables in the
> gw, but that
> would mean that the gateway won't answer any arp queries,
> hence the clients
> will not be able to find it's MAC. Setting up static arp
> tables in clients is
> not an option.
I don't think either of those options is going to work...
> I could use netfilter MAC matching support in the kernel, but
> that would mean
> I have to add 50 rules to the ruleset adding considerable
> overhead.
You said you only had 50 clients - I don't know netfilter very well but I'll
bet you lunch that adding 50 kernel-level MAC permit statements won't make
any appreciable performance difference unless you have a 386 as a gateway.
> Moreover,
> it is a link level problem that sould be solved in the same level, so
> netfilter is not an attractive option. Please comment if I'm wrong.
I completely agree with you here. I would be much more inclined to look at
switch-level security (layer 2!), which gives you the option to filter on
MAC address, physical switch port or a combination of both (which defeats my
attack as outlined above). In addition, you could disable any ports that are
not currently in use.
> Any solutions?
You could also look at 802.1x - that's kind of designed to solve the problem
I think you're asking about, but it's infrastructure-heavy.
'luck!
ben
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Damian Gerow: "[fw-wiz] Spamming, 'hidden' mail server"
- In reply to: Debian User: "[fw-wiz] Link level security with static arp tables"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
