Filtering by MAC gives you no additional security whatsoever, period. MAC addresses can be easily spoofed and although your solution may assist in spotting misconfigurations a determined intruder will get straight through....
Sent from my BlackBerry® wireless device -----Original Message----- From: "Adam Graham" <[EMAIL PROTECTED]> Date: Mon, 26 Mar 2007 15:52:21 To:<[email protected]> Subject: RE: Wired detection of rogue access points First off is it even possible to buy a laptop that does not have wifi built in? I have set up an automated scan looking for MACs. If the MAC does not appear on my list I drop its packets in the IPTabes FW. It's rather simple to do. The main thing I do that seems to work the best is the APs are un-trusted and therefore stuck out in the DMZ. Before one can get to network resources they need to open the VPN client after connecting to the AP. A simple way to handle MACs with IPTables (NOTE: simple rule if you need more instruction I can send it to you or just the complete iptable script): Let's create 2 text files: /tmp/whiteist /tmp/blackist Insert into whiteist 00:06:25:2E:56:A0 Insert into blackist 00:06:25:2E:56:E1 Add following to your IPTabes script TABLES = "filter nat mangle" iptables = /sbin/iptables touch /tmp/whiteist touch /tmp/blackist WHITELIST = `cat /tmp/whiteist | awk '{print $1}' BLACKLIST = `cat /tmp/blackist | awk '{print $1}' # Forward good MACs $iptables -t filter -I FORWARD 1 -m mark --mark 0x42 -j ACCEPT # mark all packets from the good macs for MAC in $WHITELIST ; do $iptables -t mangle -I PREROUTING -m mac --mac-source $MAC -j MARK --set-mark 0x42 done # drop all packets from the good macs for MAC in $BLACKLIST ; do $iptables -t mangle -I PREROUTING -m mac --mac-source $MAC -j DROP done ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
