Re: [fw-wiz] MAC blocking

• Previous message: Patrick M. Hausen: "Re: [fw-wiz] MAC blocking"
• In reply to: Eric Appelboom: "[fw-wiz] MAC blocking"
• Next in thread: Chris Byrd: "Re: [fw-wiz] MAC blocking"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Eric Appelboom <eric@mweb.com>
Date: Mon, 28 Nov 2005 16:27:49 -0500 (EST)

On Fri, 25 Nov 2005, Eric Appelboom wrote:

> Hi
>
> I would like to white list known MAC address on a subnet and block\deny
> any new MACs.
> If a new MAC is seen the firewall it should not allow that MAC to pass
> traffic out that segment\vlan.
> A similar concept to MAC address locking on Wifi AP's
>
> It would be great to have this as a feature on a protected segment of a
> firewall.
>
> One could script a diff on files containing arp entries and then arp
> poison the IP associated
> to the new MAC (not the correct way) or spoof or bind the offending MAC
> with ifconfig\macmakeup\SMAC and bind to secondary interface.
>
> Any better ideas? (no 802.1x NAC\NAP please)

Turn off dynamic ARP and use static ARP mappings. It doesn't stop someone
from MAC spoofing, but it's workable if your switches don't support MAC
locking at the port level. Obviously you have to share layer 2 for it to
work...

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
http://fora.compuwar.net Infosec discussion boards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Patrick M. Hausen: "Re: [fw-wiz] MAC blocking"
• In reply to: Eric Appelboom: "[fw-wiz] MAC blocking"
• Next in thread: Chris Byrd: "Re: [fw-wiz] MAC blocking"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: [SLE] ethereal ... ARP is "address resolution protocol". ... ethernet connections are between hardware or MAC addresses, ... address of your ethernet card -- and obviously (I hope it's obvious ... most often consisting only of your gateway. ... (SuSE) Re: Pure IP & ARP broadcasts ... It actually communicates via the MAC address of the Nics (aka Layer2 ... what the ARP request does. ... A host has a packet to send, it has the IP# and nothing else. ... But if the owner of the IP# is not on that segment then the Router replies ... (microsoft.public.windows.server.networking) Re: [SLE] ethereal ... > to directly actually need to know the MAC ... > will respond with an ARP Reply giving your MAC address. ... > most often consisting only of your gateway. ... > minute of the day the gateway knows what ethernet card is using those ... (SuSE) Re: Using ARP to map a network ... > If the machines were behind a router you would not see anything for ARP. ... > an MAC address for the router but remember, the MAC address is part of ... >> This list is provided by the SecurityFocus Security Intelligence Alert ... (Pen-Test) RE: general sniffer question ... Subject: general sniffer question ... It is possible that what you saw was ARP broadcasts, ... communication protocol, they need the MAC address of each card, an ip ... > other peoples packets that are not broadcast packets. ... (Security-Basics)