Home page logo

basics logo Security Basics mailing list archives

RE: MAC Authentication device
From: "Mike" <mike () superiorholidayadventures ca>
Date: Thu, 20 Nov 2003 08:22:15 -0500

Yes, of course Joann, you're right about that.. I can't believe I didn't
catch that!

I don't know if you can outright do this with any one device.  You
could, however, put a few simple ideas together that would make it very
hard (read, not worthwhile but still slightly possible) to circumvent:

1.  You could, again, lock down your DHCP server to only give out IP
addresses to MAC's that you specify.  As well, give them a "static" or
fixed IP bound to that MAC.  

2.  If you have a switch that is managed you could bind the known MAC of
the client to the port that they're wired to.  You may also be able to
configure the switch to ignore any MAC's that aren't in your access
list.  That would depend on your switch.

3.  Lastly, if you have a Linux (2.4 IPTables based) firewall you can
create an access list that only allows certain IP *and* MAC address
combinations access to the Internet.  You could also put this firewall
in front of your network and it would have the same effect.  Other
firewalls may allow you to do this, but I'm not familiar with them.

In and of themselves, these techniques may not do what you want, but
combined together I think it could achieve your goals.  They're all
relatively inexpensive as well.

Mike Fetherston

-----Original Message-----
From: Joann Jane [mailto:aladin168 () hotmail com]
Sent: Wednesday, November 19, 2003 8:26 PM
To: Mike
Subject: RE: MAC Authentication device

The consultants will be on-site, and my client want to be able to
them by giving them a PCMCIA Network Card.

We don't even allow wireless cards, these will be wired network cards.

Any idea on how to ONLY allow authorized people to get on the network?
Problem is that we can't control who can get on because whoever plug
the jack can assign themselves an IP, which is mainly our concern.

Thanks so much.

MAC Spoofing, I know it can be done with SMAC,
http://www.klcconsulting.net/smac right?

From: "Mike" <mike () superiorholidayadventures ca>
To: "aladin168" <aladin168 () hotmail com>,<security-
basics () securityfocus com>
Subject: RE: MAC Authentication device
Date: Wed, 19 Nov 2003 15:03:39 -0500

If you're trying to stop rogue devices from accessing your network
could configure your DHCP server to only hand out IP addresses to
that are in your access list.

What kind of DHCP server are you using?

Beware that MAC's can be spoofed.

Mike Fetherston

-----Original Message-----
From: aladin168 [mailto:aladin168 () hotmail com]
Sent: Tuesday, November 18, 2003 4:54 PM
To: security-basics () securityfocus com
Subject: MAC Authentication device


Can anyone recommend a device that will do MAC Address
before allowing a user/computer to connect to the network.  This
different then MAC Address filtering, which allow or disallow
the Internet for the the systems that are already on the network.

I am trying to find a cheap device that will help me control
accessing our trusted network.





Groove on the latest from the hot new rock groups!  Get downloads,
and more here.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]