Re: MAC Authentication device

["Joann Jane" <aladin168 () hotmail com>]

Thanks Kevin,

You are right that MAC address can be spoofed very easity 
(http://www.klcconsulting.net/smac), and I have started looking into couple 
areas people suggested.

Can anyone give their oppinion on the 2 type of products that might meet I 
needs?

1. Cisco Secure User Registration Tool (URT)
2. 802.1x  (for wired network, not for wireless)

Thanks,
/


> From: Kevin Saenz <ksaenz () spinaweb com au>
> To: David Nichols <dnichols () amci com>
> CC: aladin168 <aladin168 () hotmail com>,security-basics () securityfocus com
> Subject: Re: MAC Authentication device
> Date: Fri, 21 Nov 2003 21:43:14 +1100
>
> > You can still use MAC filtering by having your "trusted network" on one 
> side
> > of the firewall and everything else on the other.  Think of a
> > firewall/router as a device that connects two networks, not just a 
> public
> > network (the internet) to a private network.  Most large scale private
> > networks use routers to breakup broadcast domains.
> >
> Is this really advised when you can spoof MAC addresses?
> if you have a client/user that is resourceful enough to elevate their
> access by finding out your internet activity is based on MAC addresses
> what would be your course of action?
> Policies that I enforce my clients to take (I'm not sure if it works in
> other countries) to advise their clients that internet activity will be
> monitored and restricted. Usually users/clients fly right when they know
> big brother is watching.
>
> > As far as an authentication device that only allows a network login 
> based on
> > a list of allowable MAC addresses, I don't know of one.  But it is an
> > interesting idea.  In Linux terms, you could probably build a dedicated
> > authentication server that runs netfilter/iptables rules to kill packets
> > that aren't on the "approved" MAC list before they even get out of the
> > TCP/IP stack.  I'm not sure if you can do the same thing on a single 
> Windows
> > box, but I'm sure you can do it by placing a filtering router between 
> the
> > authentication server and the rest of the network as suggested above.
> >
> > David Nichols
> >
> > ----- Original Message -----
> > From: "aladin168" <aladin168 () hotmail com>
> > To: <security-basics () securityfocus com>
> > Sent: Tuesday, November 18, 2003 4:54 PM
> > Subject: MAC Authentication device
> >
> >
> > >
> > >
> > > Hi,
> > >
> > > Can anyone recommend a device that will do MAC Address Authentication
> > before allowing a user/computer to connect to the network.  This is
> > different then MAC Address filtering, which allow or disallow access to 
> the
> > Internet for the the systems that are already on the network.
> > >
> > > I am trying to find a cheap device that will help me control 
> non-employees
> > accessing our trusted network.
> > >
> > > Thanks,
> > > /Kyle
> > >
> > > 
> --------------------------------------------------------------------------
> > -
> > > 
> --------------------------------------------------------------------------
> > --
> > >
> > >
> >
> >
> > 
> ---------------------------------------------------------------------------
> > 
> ----------------------------------------------------------------------------
> --
> Regards,
>
> Kevin Saenz
>
> Spinaweb
> I.T consultants
>
> Ph: 02 4620 5130
> Fax: 02 4625 9243
> Mobile: 0418455661
> Web: http://www.spinaweb.com.au

_________________________________________________________________
> From the hottest toys to tips on keeping fit this winter, you’ll find a 
range of helpful holiday info here.  
http://special.msn.com/network/happyholidays.armx


---------------------------------------------------------------------------
----------------------------------------------------------------------------