Re: Locking down a network connection to a single machine.

From: Matt Collins (matt@clues.com)
Date: 05/08/02


Date: Wed, 8 May 2002 12:08:33 +0100
From: Matt Collins <matt@clues.com>
To: "Ogle Ron (Rennes)" <OgleR@thmulti.com>

On Thu, May 02, 2002 at 09:20:22PM +0200, Ogle Ron (Rennes) wrote:
> I need to connect two machines via an Ethernet connection, but only what
> these two machines to talk to each other. I'm going to use a cross-over
> cable to do the physical connection. The other machine is not a standard
> computer but an embedded system.
>
> I would like to have my Sun box only talk to this one specific system even
> if someone connected a hub between the two boxes. I would normally use
> IPsec to validate the IP headers, but the other machine doesn't do IPsec.
>
> Right now I'm looking at either trying to use some kind of firewall to limit
> access to the specific MAC address or loading a static ARP table at login
> and then disabling the ARP and RARP services.
>
> Does anyone know of a firewall that will work at the MAC layer and run on
> Solaris 8?
>
> Does anyone know how to disable the ARP and RARP services without causing
> any problems with the IP communications between these two boxes?
>
> Or does anyone have any other suggestions?
>

Hi Ron,

Just a brief note; you havent said what you're trying to achieve
here, beyond "to ensure your sun only talks to the embedded device".

If that's an accurate summary of your requirement then even hard
coding MAC addresses isnt going to help if someone has access
to the cable such that they could, for example, insert a hub (the
risk model you describe).

It is easy enough to provide a MAC address of your choosing; a
hypothetical attack to make your Sun talk to another malicious
device would be:

Insert hub
Snoop traffic
Identify Sun MAC
Identify Embedded MAC
Configure malicious device to use snooped MAC
Disconnect Embedded device
Attach malicious device

Obviously this can be extended for main in the middle attacks,
data stream injection, etc,etc.

Can you clarify what you're worried about a little?

Matt



Relevant Pages

  • Re: More on caching and logging
    ... Please point to a citation of where, exactly, Apple said any such thing. ... PPC machines are still the majority of Macs, ... By the end of the first year I had that machine, ... single-button, and the connection was still proprietary, but the ADB ...
    (comp.sys.mac.system)
  • Re: Can I limit connections to specific MAC addresses
    ... >that serves as the device sharing my cable modem connection. ... >all machines, and current antivirus and anti-trojan software. ... >network and the world, but I don't want any other machines participating in ... >It seems to me that MAC address filtering would do the job, ...
    (comp.security.firewalls)
  • RE: Locking down a network connection to a single machine.
    ... Do the ARP adjustments with ifconfig on the Sun box to limit MAC ... Use coax or fiber for the physical connection. ... > Configure malicious device to use snooped MAC ...
    (Focus-SUN)
  • Re: Need Help: Share HP OfficeJet 6110 between OS X 10.2 and WinXP Pro
    ... > Mac directly, the Mac prints and scan perfectly, but XP Pro can't see ... > the USB cable between the two machines depending on which one needs to ... enabled printer sharing on the mac but still couldn't ... manage a connection. ...
    (comp.sys.mac.printing)
  • Re: How to make a connection between a Mac and Sun Box
    ... Can I make a connection between a Mac G5 Tower and a Sun computer such ... You can rsh or rlogin to the Sun from a console or terminal. ... (Ssh too, if you have ssh going on the Sun.) ...
    (comp.sys.sun.hardware)