A.P. Lawrence

Securing your network to specific machines

(Traditional format)

Sun Dec 19 15:11:08 2004 Securing your network to specific machines
Posted by Tony Lawrence
Search Keys: security

It's possible to lock down a network from use by rogue machines (a laptop brought in from outside, for example), but it isn't easy. See these links for passing and blocking packets by MAC address:

http://www.securiteam.com/unixfocus/6G00F1F2UA.html
http://www.firerack.com/devel/iptables_macmatch

But.. keep in mind that someone can spoof MAC addresses also. Some switches can "lock" a MAC address to a specific port, so if you have one of those, use the iptables stuff from the links above to pass only the addresses you already know. If you then can keep your all your offices and the switch under lock and key.. you might stop all but the most determined wanderers.

If you need to get more sophisticated (some machines have more access than others), combine this with DHCP that assigns specific IP addresses to specific MAC addresses. As long as you have that blocking switch, and no physical access to its ports, you can then be sure that a particular IP address really came from thev machine you expected it to - or somebody drilled holes in your walls or otherwise physically compromised your network.

Comments /Blog/B1201.html


Add your comments

Why no "Digg this!" etc.?

Enter your email address for automatic notification of new posts here
(be sure to whitelist 'feedburner.com' if you use spam filtering)

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.

Publishing your articles here