Re: WatchGuard FireBox III?

From: Duane Arnold (notme_at_notme.com)
Date: 05/07/04 

Date: Fri, 07 May 2004 19:08:57 GMT

"Mike" <nospam@notherematey.com> wrote in
news:c7ggcb$df7$1@thorium.cix.co.uk:

>
> "Duane Arnold" <notme@notme.com> wrote in message
> news:Xns94E23655B692notmenotmecoml@63.240.76.16...
>> I plan on getting one of them soon. However, it just dawned on me
>> about my ISP being able to detect more than one machine using the
>> account.
>>
>> The Linksys router has the MAC Cloning feature that allows me to
>> clone the original computer's NIC MAC that was provisioned with the
>> ISP into the router.
>>
>> That way, the ISP only sees that MAC and not the additional NIC MAC's
>> from other machines behind the router, which is $5.00 more a month
>> for each additional machine if detected.
>>
>> I kind of suspect that the FireBox III doesn't have a MAC Cloning
>> feature.
>>
>> Does the FireBox III have the MAC Cloning feature? What are my
>> options here as I would like to keep the money in my pocket?
>
> Maybe I'm being a bit thick as it is Friday afternoon, but what sort
> of firewall or router leaks your internal network card(s) MACs to the
> outside world??????
>
>
>

I just got off the phone with Insightbb. They told me that they are no
longer part of AT&T's network backbone that they only detect the MAC of the
first device behind the modem that must be provisioned and they don't care
what it is NIC, router or FW appliance.

As they were part of the AT&T network backbone, AT&T detected any
additional MAC's behind the modem and wanted more cash for each one that
had to be provisioned with the account, which one could do via some pop-up
screens requesting information. A MAC was detected and an IP was issued for
each machine to access the network.

Of course, I came around that problem by cloning the NIC MAC of the machine
that was provisioned with them into the router; therefore allowing me to
use additional machines behind the router. If I didn't do that cloning
trick, then they knew.

The guy gave me the IP to use to do a MAC *replace/update* and provision it
once I get the WatchGuard.

They still don't allow a Web server on the network. (:

The snip is to my response that I reponsed to the OP on how to come around
the ISP detecting machines through a D-Link wireless router, which rasied
my questions about the WatchGuard.

<snip>

The ISP is examining the MAC address of the port that is connected to the
cable modem. For your friend, that is his router's WAN port. A MAC
addressis composed of two parts: an OUI (Organizationally Unique
Identifier) which indicates the manufacturer of the network adapter (port),
and a serial number.

The OUI is assigned by the IEEE, and you can look up OUIs on the
IEEE web-site. One manufacturer may have many OUIs, but one OUI is never
shared between manufacturers. Usually the OUI will reveal the manufacturer
of the router, but technically it's the manufacturer of the network adapter
within the router, so it might not be the same.

Duane's trick of cloning the MAC address of his computer makes it look like
the router's WAN port was manufactured by Dell, Intel, 3Com, or some other
computer or Network Interface Card manufacturer. If the MAC's OUI reveals
Linksys, D-Link, Netgear, etc. then they suspect that you're using a
router. Since most router manufacturers also manufacture NICs for
computers, you could probably convince them that you have no router, but I
like Duane's trick.

I don't believe that if you don't clone the MAC address that the ISP can
actually "detect" your additional computers. I think that they're just
inferring the existence of these computers by their assumption that certain
OUIs probably indicate routers.

Every MAC address in the world is supposed to be unique. This is done by
issuing unique OUIs to manufacturers and relying on the manufacturer to
issue unique serial numbers to every NIC. There are a large, but finite,
number of serial numbers for each OUI. For this reason many manufacturers
have multiple OUIs assigned. It's possible that a manufacturer might use
one OUI for their router production line and another OUI for their NIC
production line. There is no requirement to do so, but it would make
management of the serial numbers easier. If the ISP caught on to this
pattern, they would be able to tell not only the manufacturer of the port,
but also which product line it came from. Then they would know reliably if
you were using a router.

<snip>

Duane :)

  
  

Relevant Pages

  • RE: About War Driving ..
    ... The first 3 bytes of the MAC address are the OUI, ... Organizationally Unique Identifier. ... the manufacturer here: http://standards.ieee.org/regauth/oui/index.shtml ...
    (Security-Basics)
  • Re: WEP and MAC Filter
    ... <set up the MAC filter; ... Could it be because the DHCP server is enabled, and the incoming wireless ... adaptors were on get dynamic IP when I try to connect them to the router? ... cabled to the 1-4 LAN ports, and the wireless PCs would be channeled ...
    (alt.internet.wireless)
  • Re: Can Known Hardware ID Make You Discoverable?
    ... Only the ethernet packet header contains the source MAC ... The MAC addresses just don't go through the router. ... for the local university redisential network details. ... effective were web pages that would try to identify client computers. ...
    (comp.security.misc)
  • RE: Exploit code for IP Smart Spoofing
    ... The idea Smartspoof is definitely not new. ... I use arp-sk or any other method of providing the router with my MAC ... Current switches ...
    (Bugtraq)
  • Re: 806 refusing to cooperate.
    ... I'll answer this one first since it'll take less time: yes, my router ... mentioned the DHCP "4-way handshake" that you described in your reply ... into detail) the MAC of the 806's E1 int and actually ... Insight's "old" registration servers and that Insight for some reason ...
    (comp.dcom.sys.cisco)