Home page logo

basics logo Security Basics mailing list archives

Re: MAC Authentication device
From: "Joann Jane" <aladin168 () hotmail com>
Date: Fri, 21 Nov 2003 11:11:57 -0500

Thanks Kevin,

You are right that MAC address can be spoofed very easity (http://www.klcconsulting.net/smac), and I have started looking into couple areas people suggested.

Can anyone give their oppinion on the 2 type of products that might meet I needs?

1. Cisco Secure User Registration Tool (URT)
2. 802.1x  (for wired network, not for wireless)


From: Kevin Saenz <ksaenz () spinaweb com au>
To: David Nichols <dnichols () amci com>
CC: aladin168 <aladin168 () hotmail com>,security-basics () securityfocus com
Subject: Re: MAC Authentication device
Date: Fri, 21 Nov 2003 21:43:14 +1100

> You can still use MAC filtering by having your "trusted network" on one side
> of the firewall and everything else on the other.  Think of a
> firewall/router as a device that connects two networks, not just a public
> network (the internet) to a private network.  Most large scale private
> networks use routers to breakup broadcast domains.
Is this really advised when you can spoof MAC addresses?
if you have a client/user that is resourceful enough to elevate their
access by finding out your internet activity is based on MAC addresses
what would be your course of action?
Policies that I enforce my clients to take (I'm not sure if it works in
other countries) to advise their clients that internet activity will be
monitored and restricted. Usually users/clients fly right when they know
big brother is watching.

> As far as an authentication device that only allows a network login based on
> a list of allowable MAC addresses, I don't know of one.  But it is an
> interesting idea.  In Linux terms, you could probably build a dedicated
> authentication server that runs netfilter/iptables rules to kill packets
> that aren't on the "approved" MAC list before they even get out of the
> TCP/IP stack. I'm not sure if you can do the same thing on a single Windows > box, but I'm sure you can do it by placing a filtering router between the
> authentication server and the rest of the network as suggested above.
> David Nichols
> ----- Original Message -----
> From: "aladin168" <aladin168 () hotmail com>
> To: <security-basics () securityfocus com>
> Sent: Tuesday, November 18, 2003 4:54 PM
> Subject: MAC Authentication device
> >
> >
> > Hi,
> >
> > Can anyone recommend a device that will do MAC Address Authentication
> before allowing a user/computer to connect to the network.  This is
> different then MAC Address filtering, which allow or disallow access to the
> Internet for the the systems that are already on the network.
> >
> > I am trying to find a cheap device that will help me control non-employees
> accessing our trusted network.
> >
> > Thanks,
> > /Kyle
> >
> > --------------------------------------------------------------------------
> -
> > --------------------------------------------------------------------------
> --
> >
> >
> --------------------------------------------------------------------------- > ----------------------------------------------------------------------------

Kevin Saenz

I.T consultants

Ph: 02 4620 5130
Fax: 02 4625 9243
Mobile: 0418455661
Web: http://www.spinaweb.com.au

From the hottest toys to tips on keeping fit this winter, youÂ’ll find a
range of helpful holiday info here. http://special.msn.com/network/happyholidays.armx


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]