Re: Controlling access at the Ethernet level

• Previous message: Christopher Rued: "Re: Controlling access at the Ethernet level"
• Maybe in reply to: Christopher Rued: "Re: Controlling access at the Ethernet level"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <freebsd-security@freebsd.org>
Date: Tue, 6 Apr 2004 10:09:44 -0300

Adrian,

    ipfw2 enables you to control access from ether_demux() and ether_output_frame() [ipfw(8)]. Some ipfw2 options are dst-mac src-mac mac-type.

Regards,
Hernan

----- Original Message -----
From: "Adrian Penisoara" <ady@freebsd.ady.ro>
To: <freebsd-security@freebsd.org>
Cc: <freebsd-isp@freebsd.org>
Sent: Sunday, April 04, 2004 3:22 PM
Subject: Q: Controlling access at the Ethernet level


> Hi,
>
> I am searching for a solution that will enable me to control the
> access of clients to a Ethernet network that spans over about an entire
> quorter; most of the connected stations are running MS Windows.
>
> We are facing service theft through impersonation, either solely IP
> or both IP and Ethernet MAC address. Securing IP access was solved
> using a static ARP scheme (we used "staticarp" for the internal gateway
> interface and tied to it a fixed list of IP/MAC tuples), but some of
> the clients learnt how to change both the IP and the MAC.
>
> We have thought about using static MAC entries per port on managed
> switches installed at the client endpoints, but that would require a
> overwhelming budget. We are also thinking about L2TP and PPPoE, but I
> am uncertain about compatibility.
>
> What would you recommand ? Are there any other elegant solutions ?
>
> I also heard about 802.1x technology and seems to be an interesting
> and professional alternative; I just don't know how well supported is
> on the server side, namely FreeBSD.
>
> Thank you.
>
> --
> Ady (@freebsd.ady.ro)
>
> _______________________________________________
> freebsd-isp@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
>

_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

• Previous message: Christopher Rued: "Re: Controlling access at the Ethernet level"
• Maybe in reply to: Christopher Rued: "Re: Controlling access at the Ethernet level"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: MAC address spoofing - conflict? ... Ethernet switches split ethernet networks into different collision ... MAC spoofing should not be applicable to thoses environments as it ... Depending on switch behaviour, you may ... WiFi network, as it is a layer 1 share medium too. ... (Pen-Test) Re: NAT implementation in an IM driver ... Just translate the addresses and ... media types and packet formats). ... but the packet format between WANARP and NDISWAN is fake Ethernet ... (with some fake data in MAC addresses fields), so you can plug an Ethernet IM ... (microsoft.public.development.device.drivers) Re: AFP protocol ... I met, in the 1980s, plenty of workstations hooked up to Ethernet ... AUI socket on the computer. ... reasonable sized black coax cables that use BNC sockets, ... ever used built-in BNC on early third party Mac Ethernet cards, ... (uk.comp.sys.mac) Re: Question about ethernet addresses ... Running System Profiler yields the following for my G5's MAC address ... Opening the Network pane of my System Preferences gives me a completely ... different ethernet address: ... Is the second address the identifier for my network card? ... (comp.sys.mac.system) Re: PM 9600, USB, OS 9 - WLAN? ... WLAN-Ethernet Bridge, die Du per Ethernet (das sollte Dein alter Mac ... Das Geraet wird ueber einen Webbrowser angesteuert ... (de.comp.sys.mac.misc)