Re: [fw-wiz] MAC blocking

• Previous message: Marcus J. Ranum: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
• In reply to: Eric Appelboom: "[fw-wiz] MAC blocking"
• Next in thread: Chuck Swiger: "Re: [fw-wiz] MAC blocking"
• Reply: Chuck Swiger: "Re: [fw-wiz] MAC blocking"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Eric Appelboom <eric@mweb.com>
Date: Mon, 28 Nov 2005 22:25:55 +0100 (CET)

Hello!

Eric wrote:

> I would like to white list known MAC address on a subnet and block\deny
> any new MACs.
> If a new MAC is seen the firewall it should not allow that MAC to pass
> traffic out that segment\vlan.
> A similar concept to MAC address locking on Wifi AP's
>
> It would be great to have this as a feature on a protected segment of a
> firewall.

I would investigate switches with advanced management capabilities.

E.g. certain Cisco products can talk to a "VLAN Membership Policy Server"
to put hosts into VLANs depending on their MAC address.

I don't know details, but even if they don't have a "don't forward
any packets for unknown MAC addresses" policy, they must have a
default VLAN for these unknown ones. Don't connect the default
VLAN to anything - voila.

Keep in mind that employing VLANs as a means of separating zones
of different trust in a firewall implementation is still a subject
of some discussion - it's not quite sure whether it is safe to assume
that "VLAN hopping" is definitely impossible.

HTH,

Patrick M. Hausen
Leiter Netzwerke und Sicherheit

-- 
punkt.de GmbH         Internet - Dienstleistungen - Beratung
Vorholzstr. 25        Tel. 0721 9109 -0 Fax: -100
76137 Karlsruhe       http://punkt.de
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Marcus J. Ranum: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
• In reply to: Eric Appelboom: "[fw-wiz] MAC blocking"
• Next in thread: Chuck Swiger: "Re: [fw-wiz] MAC blocking"
• Reply: Chuck Swiger: "Re: [fw-wiz] MAC blocking"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: 99.9 % of Software/Hardware Firewalls DO-NOT..... ... >>> firewall is presumably protecting you. ... If you're saying that MAC ... >>> that has only been in existence since the first Cisco router. ... >>> or to an address, from a port, or from an address, or any combination of ... (comp.security.firewalls) Re: OS X firewall and anti virus ... I've always loved the MAC and don't ... Actually, the lawsuit started with the release of Windows 2, and was ... have active anti-malware software. ... Any recommendations for a firewall as well? ... (comp.sys.mac.apps) Re: cant access public website from within web server domain, need to force NAT ... It is normal behavor tied to how TCP/IP combined with Ethernet (mac ... external NIC of the Firewall at the same time,...therefore the Source MAC ... What you want is the have a record in your own DNS Server for these sites' ... those machine from the Internet. ... (microsoft.public.win2000.networking) Re: Best Adventure or Role-Playing Games on Mac ... Gregory Weston wrote: ... Jolly Roger wrote: ... As long as you're not using Leopard's firewall in per-application mode. ... knew that Fallout is available for the Mac. ... (comp.sys.mac.apps) Straight Talk on Mac and Security Risks ... The Mac Skeptic: Straight Talk on Mac Security Risks ... antivirus, anti-spyware, and firewall software, my Mac has been fairly ... These patches addressed exploits that were theoretical; as with most Windows ... (comp.dcom.telecom)