Re: [fw-wiz] MAC blocking

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 11/28/05

  • Next message: Chuck Swiger: "Re: [fw-wiz] MAC blocking"
    To: Eric Appelboom <eric@mweb.com>
    Date: Mon, 28 Nov 2005 16:27:49 -0500 (EST)
    
    

    On Fri, 25 Nov 2005, Eric Appelboom wrote:

    > Hi
    >
    > I would like to white list known MAC address on a subnet and block\deny
    > any new MACs.
    > If a new MAC is seen the firewall it should not allow that MAC to pass
    > traffic out that segment\vlan.
    > A similar concept to MAC address locking on Wifi AP's
    >
    > It would be great to have this as a feature on a protected segment of a
    > firewall.
    >
    > One could script a diff on files containing arp entries and then arp
    > poison the IP associated
    > to the new MAC (not the correct way) or spoof or bind the offending MAC
    > with ifconfig\macmakeup\SMAC and bind to secondary interface.
    >
    > Any better ideas? (no 802.1x NAC\NAP please)

    Turn off dynamic ARP and use static ARP mappings. It doesn't stop someone
    from MAC spoofing, but it's workable if your switches don't support MAC
    locking at the port level. Obviously you have to share layer 2 for it to
    work...

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    http://fora.compuwar.net Infosec discussion boards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Chuck Swiger: "Re: [fw-wiz] MAC blocking"

    Relevant Pages

    • Re: [SLE] ethereal
      ... ARP is "address resolution protocol". ... ethernet connections are between hardware or MAC addresses, ... address of your ethernet card -- and obviously (I hope it's obvious ... most often consisting only of your gateway. ...
      (SuSE)
    • Re: Pure IP & ARP broadcasts
      ... It actually communicates via the MAC address of the Nics (aka Layer2 ... what the ARP request does. ... A host has a packet to send, it has the IP# and nothing else. ... But if the owner of the IP# is not on that segment then the Router replies ...
      (microsoft.public.windows.server.networking)
    • Re: All I have is the MAC address which are on our LAN so no routers are involved.
      ... echo Clearing ARP Cache ... an IP on MAC How to use TCP/IP without installing a NIC. ... How to Setup Windows, Network, VPN & Remote Access on = ... Anyway now I have the list of machines with MAC and IP, ...
      (microsoft.public.windowsxp.network_web)
    • Re: [SLE] ethereal
      ... > to directly actually need to know the MAC ... > will respond with an ARP Reply giving your MAC address. ... > most often consisting only of your gateway. ... > minute of the day the gateway knows what ethernet card is using those ...
      (SuSE)
    • Re: Re: All I have is the MAC address which are on our LAN so no routers are involved.
      ... addresses and then check the arp cache with "arp -a". ... an IP on MAC How to use TCP/IP without installing a NIC. ... How to Setup Windows, Network, VPN & Remote Access on = ... Anyway now I have the list of machines with MAC and IP, ...
      (microsoft.public.windowsxp.network_web)