+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 16
Wireless Networks Thread, Locking down network, allow only approved mac addresses? in Technical; Couldn't find an answer to this when searching but my searching techniques leave a lot to be desired so if ...
  1. #1

    Join Date
    Jun 2007
    Location
    Sunderland
    Posts
    192
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Locking down network, allow only approved mac addresses?

    Couldn't find an answer to this when searching but my searching techniques leave a lot to be desired so if anyone could point me int he right direction to a post or offer some help it woudl be appreciated...

    I have my domain controller (server 2003) set up as the DHCP server. Now in an attempt to lock down our network I wanted to somehow set it so that the DHCP server only assigns ip addresses to an allowed list of MAC addresses so no rogue wireless or wired computers can access the network unless added to this list.

    This would protect us from anyone hacking into wifi points and any rogue machines plugged intot he netowork. Also means all machines connected to the network have my permission to be connected and nothing that hasnt been virus checker or prepared for the network will have access.

    I am positive that most of you will have a similar solution set up and I wondered if it was possible without 3rd part software.

    Again apologies if this is a repeated post as I swear I have seen a post like this before but can't find it.

    Any other suggestions for locking down our network would be appreciated also!

    Many thanks!

    Busy busy monday!

  2. #2

    Join Date
    Feb 2006
    Location
    Derbyshire
    Posts
    1,381
    Thank Post
    181
    Thanked 211 Times in 171 Posts
    Rep Power
    64

    Re: Locking down network, allow only approved mac addresses?

    The only 'quick' way I can think of to do it without third party software would be to manually add reservations by MAC address - off the top of my head, I don't think you can add a pool of MAC addresses which are allowed to get IPs via DHCP. I stand ready to be connected though!

  3. #3

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,800
    Thank Post
    110
    Thanked 582 Times in 503 Posts
    Blog Entries
    1
    Rep Power
    223

    Re: Locking down network, allow only approved mac addresses?

    Yes, that'll work. But it's a flawed solution. There's nothing stopping people either:

    a) spoofing a working mac address
    b) sniffing network traffic and working out your network settings. Then configuring themselves manually.

    There are several other ways of doing this:

    a) IPSec, but you need PKI set up correctly and there's a system overhead for all the encryption/decryption you'll be doing.
    b) 802.11X, but you need switches that support it and a radius server.
    c) Packetfence, but you need to know *nix (or be able to run VMWare images).

    A cheap and easy way to cut down on possible abuse is to simply leave unconnected endpoints disconnected at the switch cabinet.

  4. #4

    Join Date
    Jun 2007
    Location
    Sunderland
    Posts
    192
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Locking down network, allow only approved mac addresses?

    I suppose this would be sufficient. It is only a primary school and it woudl just be so that non prepared machines would not have network access until I allow them. I would have to rely on my wireless security to prevent external machines connecting

  5. #5

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,800
    Thank Post
    110
    Thanked 582 Times in 503 Posts
    Blog Entries
    1
    Rep Power
    223

    Re: Locking down network, allow only approved mac addresses?

    As for wireless, you can usually do 802.11X (Wifi calls it Enterprise WPA usually). Failing that WPA-PSK with a long/complex password is sufficient.

  6. #6

    Join Date
    Jun 2007
    Location
    Sunderland
    Posts
    192
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Locking down network, allow only approved mac addresses?

    So do I need to turn off DHCP and assign static ip addresses to each MAC? Cos surely if I just add reservations for the mac addresses of allowed computers other computers can still connect to the dhcp server?

  7. #7

    Join Date
    Mar 2006
    Posts
    537
    Thank Post
    2
    Thanked 3 Times in 2 Posts
    Rep Power
    18

    Re: Locking down network, allow only approved mac addresses?

    Quote Originally Posted by starscream
    So do I need to turn off DHCP and assign static ip addresses to each MAC? Cos surely if I just add reservations for the mac addresses of allowed computers other computers can still connect to the dhcp server?
    You don't need to turn DHCP off just make sure thtat all allowed MACs get reserved addresses and that there is no free pool of addresses.

    As Geoff implies this merely security through obscurity. A knowledgeable person won't be stopped from connecting just slightly inconvenienced.

  8. #8
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,452
    Thank Post
    278
    Thanked 196 Times in 167 Posts
    Rep Power
    75

    Re: Locking down network, allow only approved mac addresses?

    On our network, I've blocked set all IPs which aren't required into an exclusion range, so if a device connects, the DHCP server will tell it there aren't any free IPs. Of course, this doesn't stop people connecting with PCs which have valid IPs configured manually, so when I have a few hours to spare, I will go through each of the "free" IPs setting reservations on them.

    I've also disconnected all redundant network points at the switch.

  9. #9

    Join Date
    Mar 2006
    Posts
    537
    Thank Post
    2
    Thanked 3 Times in 2 Posts
    Rep Power
    18

    Re: Locking down network, allow only approved mac addresses?

    Quote Originally Posted by NickJones
    On our network, I've blocked set all IPs which aren't required into an exclusion range, so if a device connects, the DHCP server will tell it there aren't any free IPs. Of course, this doesn't stop people connecting with PCs which have valid IPs configured manually, so when I have a few hours to spare, I will go through each of the "free" IPs setting reservations on them.
    How? Each reservation needs a MAC, so if you've used them already...
    As for the manually configuref machines won't ask for an address so won't be bothered about resevation.

  10. #10
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,452
    Thank Post
    278
    Thanked 196 Times in 167 Posts
    Rep Power
    75

    Re: Locking down network, allow only approved mac addresses?

    Each reservation will need a MAC, you're right - but it won't take very long to type them in for the 100 or so spare IPs in our range.

    I was under the impression that if an IP had a reservation against it, a different MAC address wouldn't be allowed to connect using that IP...

  11. #11

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,800
    Thank Post
    110
    Thanked 582 Times in 503 Posts
    Blog Entries
    1
    Rep Power
    223

    Re: Locking down network, allow only approved mac addresses?

    I was under the impression that if an IP had a reservation against it, a different MAC address wouldn't be allowed to connect using that IP...
    That's correct. However you have two problems unsolved:

    1) People spoofing MAC addresses.
    2) People manually configuring their networking.

    Which is the situation starscream was in at the start of the thread....

  12. #12
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,452
    Thank Post
    278
    Thanked 196 Times in 167 Posts
    Rep Power
    75

    Re: Locking down network, allow only approved mac addresses?

    1) I can cope with that risk here - it's not 100% secure, but it's more secure than doing nothing (and probably more secure than most other networks!).
    2) Again I say, if the IPs all have reservations against them, then a manually-configured PC wouldn't connect. Would it?

  13. #13

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,800
    Thank Post
    110
    Thanked 582 Times in 503 Posts
    Blog Entries
    1
    Rep Power
    223

    Re: Locking down network, allow only approved mac addresses?

    Again I say, if the IPs all have reservations against them, then a manually-configured PC wouldn't connect. Would it?
    Yes it would, it doesn't care what the DHCP server thinks as it never talks to it. Plus the DHCP server has no mechanism to shut down the rogue machine.

  14. #14
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,452
    Thank Post
    278
    Thanked 196 Times in 167 Posts
    Rep Power
    75

    Re: Locking down network, allow only approved mac addresses?

    Quote Originally Posted by Geoff
    Again I say, if the IPs all have reservations against them, then a manually-configured PC wouldn't connect. Would it?
    Yes it would, it doesn't care what the DHCP server thinks as it never talks to it.
    In which case I won't bother with the reservations! Thanks, you've saved me some time :-)

  15. #15

    bossman's Avatar
    Join Date
    Nov 2005
    Location
    England
    Posts
    3,853
    Thank Post
    1,160
    Thanked 1,028 Times in 729 Posts
    Rep Power
    323

    Re: Locking down network, allow only approved mac addresses?

    Have found this thread here: http://www.securityfocus.com/archive...0/390/threaded

    Makes for good bedtime reading enjoy

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. The 10 Becta Approved Suppliers
    By steve in forum Virtual Learning Platforms
    Replies: 59
    Last Post: 23rd April 2008, 10:12 PM
  2. how to find mac addresses?
    By FN-GM in forum Wireless Networks
    Replies: 9
    Last Post: 7th September 2007, 07:24 AM
  3. exempt web addresses from ISA Cache
    By timbo343 in forum Windows
    Replies: 5
    Last Post: 13th July 2007, 02:10 PM
  4. Running out of Admin IP addresses
    By Craig_W in forum Wireless Networks
    Replies: 22
    Last Post: 19th June 2007, 07:05 PM
  5. MAC Addresses and Computer Names
    By mattpant in forum Wireless Networks
    Replies: 4
    Last Post: 29th October 2005, 04:58 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •