I freely admit I'm not a Windows networking person. But it's not
clear to me what the threat is that is being protected against.
>True, but even if you sat down at a PC and got its MAC address (or just used
>that same PC), you'd still have to have the username/password for any real
>access, as even their Bordermanager proxy is based on being authenticated to
>NDS. But good point if that's all a person was using to verify a valid
>connection to a network.
>
>But the without locking it down to a MAC address, what would stop a
>broadcast storm at the local switch?
Is the MAC address relevant if you simply rate-limit broadcasts at
the port? Block the port if it senses > 500 broadcasts per second
over more than 1 second?
> What other authentication methods are
>there at layer 2?
But why should the authentication be done at layer 2? Are you
protecting against a rogue host doing a denial of service on the LAN?
Or are you protecting servers?
I can understand rate limiting ports. I just am not sure why you
would do it on a MAC address basis.
>I mean, I guess you could have some sort of script that
>would disable the port if the user failed to authenticate with your servers
>within a given amount of time... but in that time a WinXP PC would have
>melted a Cat5k (or worse: a program that simulates the same problem that can
>be run on an OS).
>
>--
>Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+
>List email: [EMAIL PROTECTED]
>Homepage: http://jason.artoo.net/
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=1031&t=911
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
