Feature request: MAC filtering/blocking - Page 2

Mathiau · 01-05-2012, 03:58 PM

restricting access to change network settings isn't in your post, you have a switch with mac address filtering and windows firewall, different things.

If you have a domain just put in a GPO to block access to the NIC properties and your done, your making something far more complex than it needs to be IMO.

sky-knight · 01-05-2012, 03:59 PM

If you're willing to manage it, MAC level control combined with IP level control is quite powerful. The problem is the time it takes, however it is nice in some cases to take special IP addresses that bypass the filters, and make a packet filter rule that blocks everything from that IP, but then above that rule make a pass rule that passes everything from that mac AND that IP.

Saves you from employees trying to steal the manager's IP when they are out of the office to get online.

johndball · 01-05-2012, 04:40 PM

Quote:

Originally Posted by Mathiau

restricting access to change network settings isn't in your post, you have a switch with mac address filtering and windows firewall, different things.

If you have a domain just put in a GPO to block access to the NIC properties and your done, your making something far more complex than it needs to be IMO.

My apologies. I thought I made it clear in my post when I said this wasn't on domain (corporate) owned worskations, as those are locked down, but on devices that somebody might bring into the workplace.

We have GPOs pushed out on our domain locking down the workstations with Windows Firewall and switch MAC filtering. Once again, this feature request was for an additional layer to restrict non-corporate assets from accessing the network beyond what was already in place.

johndball · 01-05-2012, 04:43 PM

Quote:

Originally Posted by sky-knight

If you're willing to manage it, MAC level control combined with IP level control is quite powerful. The problem is the time it takes, however it is nice in some cases to take special IP addresses that bypass the filters, and make a packet filter rule that blocks everything from that IP, but then above that rule make a pass rule that passes everything from that mac AND that IP.

Saves you from employees trying to steal the manager's IP when they are out of the office to get online.

Interesting. This isn't the flu meds talking huh?

sky-knight · 01-05-2012, 04:52 PM

MAC + Port + IP are the three founding blocks for NAC. NAC enabled switches give you the power to choose what devices can be active on what network ports, what addresses those devices should be using, and in some cases user name authorization as well.

These aren't bad security measures, but Untangle isn't the proper tool to utilize them. Yes, it can be done. It's just very time intense to do this stuff. But yes the technique I described works. The Packet Filter works on a first matched rule wins logic, just like the firewall module. So as long as your block rules are below your pass rules, you can do this with a select few stations easily.

The problem? Untangle's packet filter doesn't log. So how will you know who the trouble makers are?

Better I think to use the Directory Connector, and the AD Logon script / Captive Portal, to put people into different racks based on user names. Then machine access is irrelevant, and people will have to gain access to another's user account to get access they aren't supposed to have.

dbunyard · 01-05-2012, 04:59 PM

I think just using captive portal is the way to go really. I do something similar at home. I have only certain MAC addresses allowed to connect to my wireless router then they are issued an IP address from the DHCP server. If you get an IP outside the range of the static leases I have defined you are presented with a captive portal login where you must authenticate to gain access. I also run arpwatch on my Linux box to alert me to the presence of new MAC addresses on the network or if a host's IP changes. Granted it's a home network but it's been SUPER effective.

Mathiau · 01-06-2012, 11:53 AM

Quote:

Originally Posted by johndball

My apologies. I thought I made it clear in my post when I said this wasn't on domain (corporate) owned worskations, as those are locked down, but on devices that somebody might bring into the workplace.

We have GPOs pushed out on our domain locking down the workstations with Windows Firewall and switch MAC filtering. Once again, this feature request was for an additional layer to restrict non-corporate assets from accessing the network beyond what was already in place.

no! i apologies! i did not even see that part at the end, i just saw the

Quote:

Secondly, we have Windows Firewall running on the domain..

part.

01-05-2012, 03:58 PM	#11 (permalink)
Mathiau Join Date: Feb 2008 Location: Costa Frickn' Rica Posts: 1,467	restricting access to change network settings isn't in your post, you have a switch with mac address filtering and windows firewall, different things. If you have a domain just put in a GPO to block access to the NIC properties and your done, your making something far more complex than it needs to be IMO. __________________ Def1:Started:UT 7.1 x64 -- Current :UT 9.1 x64\| Gigabyte GM-G31 mATX \| Intel Q8200 \| 8G DDR2 800 \| 80G WD \| 4x Intel Pro 1000 GT NIC's \| Corsair 550W PSU \| Norco RPC-250 2U Case \| 50mb/50mb \| 10 users

01-05-2012, 03:59 PM	#12 (permalink)
sky-knight Join Date: Apr 2008 Location: Phoenix, AZ URLs submitted: 8 Posts: 15,454	If you're willing to manage it, MAC level control combined with IP level control is quite powerful. The problem is the time it takes, however it is nice in some cases to take special IP addresses that bypass the filters, and make a packet filter rule that blocks everything from that IP, but then above that rule make a pass rule that passes everything from that mac AND that IP. Saves you from employees trying to steal the manager's IP when they are out of the office to get online. __________________ Rob Sandling, BS:SWE, MCP Intouch Technology Phone: 480-272-9889 rob@intouchtechllc.com UntangleAppliances.com Phone: 866-794-8879

01-05-2012, 04:52 PM	#15 (permalink)
sky-knight Join Date: Apr 2008 Location: Phoenix, AZ URLs submitted: 8 Posts: 15,454	MAC + Port + IP are the three founding blocks for NAC. NAC enabled switches give you the power to choose what devices can be active on what network ports, what addresses those devices should be using, and in some cases user name authorization as well. These aren't bad security measures, but Untangle isn't the proper tool to utilize them. Yes, it can be done. It's just very time intense to do this stuff. But yes the technique I described works. The Packet Filter works on a first matched rule wins logic, just like the firewall module. So as long as your block rules are below your pass rules, you can do this with a select few stations easily. The problem? Untangle's packet filter doesn't log. So how will you know who the trouble makers are? Better I think to use the Directory Connector, and the AD Logon script / Captive Portal, to put people into different racks based on user names. Then machine access is irrelevant, and people will have to gain access to another's user account to get access they aren't supposed to have. __________________ Rob Sandling, BS:SWE, MCP Intouch Technology Phone: 480-272-9889 rob@intouchtechllc.com UntangleAppliances.com Phone: 866-794-8879

01-05-2012, 04:59 PM	#16 (permalink)
dbunyard Join Date: Nov 2008 Location: Westerville, Ohio, USA Posts: 1,020	I think just using captive portal is the way to go really. I do something similar at home. I have only certain MAC addresses allowed to connect to my wireless router then they are issued an IP address from the DHCP server. If you get an IP outside the range of the static leases I have defined you are presented with a captive portal login where you must authenticate to gain access. I also run arpwatch on my Linux box to alert me to the presence of new MAC addresses on the network or if a host's IP changes. Granted it's a home network but it's been SUPER effective. __________________ Dan You may one day find something interesting here. Today is not that day. Tomorrow isn't looking too good either.

Protect

Filter

Perform

Connect

Manage

Add-Ons