RE: Locking down a network connection to a single machine.

From: Ogle Ron (Rennes) (OgleR@thmulti.com)
Date: 05/12/02


From: "Ogle Ron (Rennes)" <OgleR@thmulti.com>
To: "'focus-sun@securityfocus.com'" <focus-sun@securityfocus.com>
Date: Sun, 12 May 2002 01:29:22 +0200

Yes, what you said is true, but if the embedded machine goes off-line then a
lot of people will know it.

My objective is really to try to make an Ethernet connection as secure as
possible without using encryption. So here's what the list came up with
which is pretty good and seem reasonable without much cost:

1. Do the ARP adjustments with ifconfig on the Sun box to limit MAC
connections.
2. Use a /30 netmask to limit IP addresses.
3. Use coax or fiber for the physical connection.
4. Make the line highly visible from end to end to thwart physically
tapping the line.

Thanks for the help!
Ron Ogle
Rennes, France

> -----Original Message-----
> From: Matt Collins [mailto:matt@clues.com]
> Sent: Wednesday, May 08, 2002 13:09
> To: Ogle Ron (Rennes)
> Cc: 'focus-sun@securityfocus.com'
> Subject: Re: Locking down a network connection to a single machine.
>
>
> On Thu, May 02, 2002 at 09:20:22PM +0200, Ogle Ron (Rennes) wrote:
> > I need to connect two machines via an Ethernet connection,
> but only what
> > these two machines to talk to each other. I'm going to use
> a cross-over
> > cable to do the physical connection. The other machine is
> not a standard
> > computer but an embedded system.
...
>
> Hi Ron,
>
> Just a brief note; you havent said what you're trying to achieve
> here, beyond "to ensure your sun only talks to the embedded device".
>
> If that's an accurate summary of your requirement then even hard
> coding MAC addresses isnt going to help if someone has access
> to the cable such that they could, for example, insert a hub (the
> risk model you describe).
>
> It is easy enough to provide a MAC address of your choosing; a
> hypothetical attack to make your Sun talk to another malicious
> device would be:
>
> Insert hub
> Snoop traffic
> Identify Sun MAC
> Identify Embedded MAC
> Configure malicious device to use snooped MAC
> Disconnect Embedded device
> Attach malicious device
>
> Obviously this can be extended for main in the middle attacks,
> data stream injection, etc,etc.
>
> Can you clarify what you're worried about a little?
>
> Matt
>



Relevant Pages

  • Re: Locking down a network connection to a single machine.
    ... > these two machines to talk to each other. ... > cable to do the physical connection. ... > access to the specific MAC address or loading a static ARP table at login ... beyond "to ensure your sun only talks to the embedded device". ...
    (Focus-SUN)
  • Re: How to make a connection between a Mac and Sun Box
    ... Can I make a connection between a Mac G5 Tower and a Sun computer such ... You can rsh or rlogin to the Sun from a console or terminal. ... (Ssh too, if you have ssh going on the Sun.) ...
    (comp.sys.sun.hardware)
  • Re: A new Mac
    ... I made up my mind and have bought a new 20" iMac computer ... & have you got the Mac Version of the DOSH/MTOB Accounts Package ... But a lot will depend on what sort of Internet Connection you have. ... (or whether it's an ADSL Connection or a Cable Modem Connection)... ...
    (uk.people.silversurfers)
  • Re: More on caching and logging
    ... Please point to a citation of where, exactly, Apple said any such thing. ... PPC machines are still the majority of Macs, ... By the end of the first year I had that machine, ... single-button, and the connection was still proprietary, but the ADB ...
    (comp.sys.mac.system)
  • Re: Connect Powerbook G4 (OS X 10.4.10) to SBS2003
    ... I was able to make the VPN connection from the Powerbook, ... This is probably due because I am not logged into the server from ... Also on this machine is a version of MS Office for Mac ...
    (microsoft.public.windows.server.sbs)