[ previous ] [ next ] [ threads ]
 
 From:  "Jewell, Michael" <mjewell at law dot umaryland dot edu>
 To:  "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Firewall Rules by MAC Address. IS it possible?
 Date:  Fri, 1 Oct 2010 17:24:35 -0400
A good smart switch will help with users changing their Mac address also,  enabling sticky mac's on
a Cisco switch with a limit of 1...  first mac the switch learns, is the only mac the switch will
let use that port.  Course moving users, or anything requires the network admins help,  but hey,
that just means job security...

-Mike



-----Original Message-----
From: Chris Buechler [mailto:cbuechler at gmail dot com] 
Sent: Thursday, September 30, 2010 9:39 PM
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Firewall Rules by MAC Address. IS it possible?

On Thu, Sep 30, 2010 at 9:02 PM, Heinz Teichmann
<heinz dot teichmann at wanews dot com dot au> wrote:
> If it is such a big issue a proper proxy appliance would be the way to go?!?
> Or is it a cost issue? Most enterprises I worked for used proxies for that and it worked.
>

Yes that's the way to properly control such things, requiring using a
proxy with authentication for all users. But going on the theme of the
rest of this thread, you could say "but then he/she can just get
someone else's credentials!"

That's why you take the approach of not trying to come up with a
bulletproof technical solution to a people problem, which is
impossible - there are always going to be ways to get around
something. If you assign a DHCP reservation, let them know they are
not authorized for web access, and the person goes to the extent of
changing their IP and/or MAC to get around restrictions you have in
place, that's generally grounds for termination.

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch