What I've done in the past, which hasn't been mentioned yet, is to hardwire
the ARP cache in a router to make sure allowed IP addresses can't be used by
incorrect MAC addresses.
Um, in more detail. You get the set of allowed IP addresses and (this is the
disgusting part) make entries in your router like (Cisco example)
Arp 192.168.1.1 0090.2712.fbc9 ARPA
Which tells the router that "no matter what else you hear, send packets for
this IP address to this MAC address". This means that someone can change
their IP to spoof an allowed IP address and get packets out past the packet
filter, but they never get the replies. This is not recommended for so so SO
many reasons, but it does work okay.
The limitation is that it is possible to change your MAC address. Duplicate
MAC addresses will cause all sorts of weird problems on your network, so
you'll probably notice pretty quickly, and it's a fairly major hack for
someone to pull off (usually an order of magnitude harder than changing your
IP address) - you'd have no trouble showing they were very deliberately
trying to circumvent policy.
A better solution is to get a smart switch and put the restricted users in a
by port or by port-and-MAC VLAN. If that's STILL not enough I'd sack 'em.
Cheers,
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
Direct Dial: (08) 8422 8319 Mobile: (0414) 411 520
-----Original Message-----
From: Enrique Fern�ndez [SMTP:[EMAIL PROTECTED]]
Sent: Thursday, April 22, 1999 12:02 AM
To: [EMAIL PROTECTED]
Subject: MAC Base filtering
Hi, does anybody know how to filter packets base on the machine MAC
address ?
Here is the situation:
In one midle size LAN, there are some workstations that should be
able to
contact others from outside this LAN, but there is also one group of
machines
that should not be able to see any other machine outside this LAN.
There is no control on the configuration this restricted machine can
have,
users may be able to change.
any help will be greatly apreciated
Enrique Fernandez
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
