Re: Blocking at firewall via MAC address

["B. Scott Harroff" <Scott.Harroff () att net>]

Wizards,

My apologies for not being more specific.  Users at the partner network will
have access to a room with a single switch which is directly connected to
the hostile interface of the firewall (F1) in a secured area.  The other
interface of F1 fire is connected to a router via a x-over cable.  F1 is
building an IPSEC tunnel for certain inbound IP's on the hub/switch across a
network into another firewall F2 which is further controlling access into
another trusted network.  There is no router between the laptops and F1.  F1
will see the laptops MAC.

I fully understand that MAC address can be changed or faked by any technical
users. The partner's purpose is not to create an environment where it become
physically impossible to have a non-authorized machine talk though the
firewall (if someone can fake both the MAC and IP correctly).  It's merely
to add another security layer (another hurdle) which is challenging to
overcome.  Consider this: If you have the ability to change the MAC address,
you still have to know what the correct MAC address is you need to fake -
which will not be public information.  Also, that MAC will have to
correspond to a certain predetermined IP, another bit of non-public
information.  The combination of the two creates a relative cheap
challenging hurdle.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards