[ previous ] [ next ] [ threads ]
 
 From:  "Jewell, Michael" <mjewell at law dot umaryland dot edu>
 To:  "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Firewall Rules by MAC Address. IS it possible?
 Date:  Fri, 1 Oct 2010 17:54:49 -0400
It doesn't have to be an expensive managed switch,  there are other more cost effective ways.

But it's not realistic to believe that adding a Router/Firewall like m0n0 will be able to turn your
cheap Linksys/DLink/Netgear/<Insert generic brand here> switch into an all encompassing solution. 
Cisco's are expensive switchs because of the features they offers because it's manageable.  If you
really want to prevent users from being able to screw with the system, as I see it, there's a couple
basic ways:

1, buy a managed switch, lock the mac to a sticky port.
2, buy a second switch, add a 3rd nic to your m0n0, put that user on their own little vlan where it
doesn't matter what mac they use, if they're plugged into that 2nd switch, they will always be bound
by the firewall rules on that opt interface.
3, buy a semi managed switch (like a cheap web managed switch) and configure a second vlan for that
user and configure vlan's on m0n0 with an opt interface.
4, Forcing all your users thru an authenticated web proxy will prevent the user from going to
someone else's desk to get to the internet.

Rules by mac don't work since you can change the mac easy.
Rules by ip don't work if they change the mac or ip.

-Mike

-----Original Message-----
From: rh at ffpx dot de [mailto:rh at ffpx dot de] 
Sent: Friday, October 01, 2010 5:37 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] Firewall Rules by MAC Address. IS it possible?

Yea,

but YOU are speaking of expensive managable switches...! - I would  
prefer some interface-extension of monowall to get this feature  
available...

Ralf

> A good smart switch will help with users changing their Mac address   
> also,  enabling sticky mac's on a Cisco switch with a limit of 1...   
>  first mac the switch learns, is the only mac the switch will let  
> use  that port.  Course moving users, or anything requires the  
> network  admins help,  but hey, that just means job security...
>
> -Mike
>
>
>
> -----Original Message-----
> From: Chris Buechler [mailto:cbuechler at gmail dot com]
> Sent: Thursday, September 30, 2010 9:39 PM
> Cc: m0n0wall at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall] Firewall Rules by MAC Address. IS it possible?
>
> On Thu, Sep 30, 2010 at 9:02 PM, Heinz Teichmann
> <heinz dot teichmann at wanews dot com dot au> wrote:
>> If it is such a big issue a proper proxy appliance would be the way to go?!?
>> Or is it a cost issue? Most enterprises I worked for used proxies   
>> for that and it worked.
>>
>
> Yes that's the way to properly control such things, requiring using a
> proxy with authentication for all users. But going on the theme of the
> rest of this thread, you could say "but then he/she can just get
> someone else's credentials!"
>
> That's why you take the approach of not trying to come up with a
> bulletproof technical solution to a people problem, which is
> impossible - there are always going to be ways to get around
> something. If you assign a DHCP reservation, let them know they are
> not authorized for web access, and the person goes to the extent of
> changing their IP and/or MAC to get around restrictions you have in
> place, that's generally grounds for termination.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>


----- Ende der Nachricht von mjewell at law dot umaryland dot edu -----



---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch