Home page logo

basics logo Security Basics mailing list archives

Re: MAC Authentication device
From: Kevin Saenz <ksaenz () spinaweb com au>
Date: Fri, 21 Nov 2003 21:43:14 +1100

You can still use MAC filtering by having your "trusted network" on one side
of the firewall and everything else on the other.  Think of a
firewall/router as a device that connects two networks, not just a public
network (the internet) to a private network.  Most large scale private
networks use routers to breakup broadcast domains.

Is this really advised when you can spoof MAC addresses?
if you have a client/user that is resourceful enough to elevate their
access by finding out your internet activity is based on MAC addresses
what would be your course of action?
Policies that I enforce my clients to take (I'm not sure if it works in
other countries) to advise their clients that internet activity will be
monitored and restricted. Usually users/clients fly right when they know
big brother is watching.

As far as an authentication device that only allows a network login based on
a list of allowable MAC addresses, I don't know of one.  But it is an
interesting idea.  In Linux terms, you could probably build a dedicated
authentication server that runs netfilter/iptables rules to kill packets
that aren't on the "approved" MAC list before they even get out of the
TCP/IP stack.  I'm not sure if you can do the same thing on a single Windows
box, but I'm sure you can do it by placing a filtering router between the
authentication server and the rest of the network as suggested above.

David Nichols

----- Original Message -----
From: "aladin168" <aladin168 () hotmail com>
To: <security-basics () securityfocus com>
Sent: Tuesday, November 18, 2003 4:54 PM
Subject: MAC Authentication device


Can anyone recommend a device that will do MAC Address Authentication
before allowing a user/computer to connect to the network.  This is
different then MAC Address filtering, which allow or disallow access to the
Internet for the the systems that are already on the network.

I am trying to find a cheap device that will help me control non-employees
accessing our trusted network.




Kevin Saenz
I.T consultants
Ph: 02 4620 5130
Fax: 02 4625 9243
Mobile: 0418455661
Web: http://www.spinaweb.com.au


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]