[ previous ] [ next ] [ threads ]
 
 From:  Graham Allan <allan at physics dot umn dot edu>
 To:  "Jewell, Michael" <mjewell at law dot umaryland dot edu>
 Cc:  "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Firewall Rules by MAC Address. IS it possible?
 Date:  Fri, 1 Oct 2010 17:32:05 -0500 
On Fri, Oct 01, 2010 at 05:54:49PM -0400, Jewell, Michael wrote:
> It doesn't have to be an expensive managed switch,  there are other more cost effective ways.
> 
> But it's not realistic to believe that adding a Router/Firewall like m0n0 will be able to turn
your cheap Linksys/DLink/Netgear/<Insert generic brand here> switch into an all encompassing
solution.  Cisco's are expensive switchs because of the features they offers because it's
manageable.  If you really want to prevent users from being able to screw with the system, as I see
it, there's a couple basic ways:
> 
> 1, buy a managed switch, lock the mac to a sticky port.

I would add:

1b, buy a decent managed switch used (eg, ebay); you can get excellent
hardware for very little money. If you just need 100Mbit, HP procurve
26xx is dirt cheap; if you need Gbit, then the 28xx doesn't cost much
more. Like any good managed switch, these can also do all kinds
of other fancy security measures such as snooping dhcp and/or arp
packets, and preventing machines from using any ip address other than that
assigned by your dhcp server; or per port web authentication similar to
the m0n0wall captive portal, and so on.

> 2, buy a second switch, add a 3rd nic to your m0n0, put that user on their own little vlan where
it doesn't matter what mac they use, if they're plugged into that 2nd switch, they will always be
bound by the firewall rules on that opt interface.
> 3, buy a semi managed switch (like a cheap web managed switch) and configure a second vlan for
that user and configure vlan's on m0n0 with an opt interface.
> 4, Forcing all your users thru an authenticated web proxy will prevent the user from going to
someone else's desk to get to the internet.
> 
> Rules by mac don't work since you can change the mac easy.
> Rules by ip don't work if they change the mac or ip.
 
Graham
-- 
-------------------------------------------------------------------------
Graham Allan - I.T. Manager - allan at physics dot umn dot edu - (612) 624-5040
School of Physics and Astronomy - University of Minnesota
-------------------------------------------------------------------------