Re: [fw-wiz] MAC blocking
From: Chris Byrd (cbyrd01_at_gmail.com)
To: Eric Appelboom <firstname.lastname@example.org> Date: Mon, 28 Nov 2005 17:00:30 -0600
If you are avoiding 802.1x and NAC/NAP due to cost of replacing
existing switches, you might consider (assuming a largely Microsoft
environment) what Microsoft calls "Domain Isolation" using IPsec:
I'd stay away from any MAC based solution, as spoofing a MAC address is trivial.
-- www.riosec.com On 11/25/05, Eric Appelboom <email@example.com> wrote: > Hi > > I would like to white list known MAC address on a subnet and block\deny > any new MACs. > If a new MAC is seen the firewall it should not allow that MAC to pass > traffic out that segment\vlan. > A similar concept to MAC address locking on Wifi AP's > > It would be great to have this as a feature on a protected segment of a > firewall. > > One could script a diff on files containing arp entries and then arp > poison the IP associated > to the new MAC (not the correct way) or spoof or bind the offending MAC > with ifconfig\macmakeup\SMAC and bind to secondary interface. > > Any better ideas? (no 802.1x NAC\NAP please) > > Regards > Eric > _______________________________________________ > firewall-wizards mailing list > firstname.lastname@example.org > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards > _______________________________________________ firewall-wizards mailing list email@example.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards