ern Robert said:
>Hi folks,
>I would like to ask for an idea... I would like to disable connecting
>an unauthorized computer to out network. I know I can limit assigning
>DHCP addresses to assigned MAC addresses but what will happen if
>hijacker will set a correct IP address and additional info manually?
>Is there a way how to solve this case?
A managed switch, even a basic layer-2 one, will give you a feature
called "port locking" or some similar name. The idea is, you plug in all
the authorized devices, then turn on the feature. At that point no other
MAC addresses will be allowed to connect to the switch until you reset
the "port locking" feature.
However, note the ability to spoof a MAC address quite easily in
software. So if that isn't secure enough for you, you could use some
sort of lower-layer protocol to limit actual access to the network using
a certificate or password.
You can mitigate against the risk of unauthorized connections through a
well designed and maintained network. Rigorously unpatch disused ports;
use reservation-only DHCP (you mentioned this); modify workstation
ethernet cables to make them difficult to unplug without tools; design
your network using layer 3 technology, providing strict access control
from edge VLANs and across the core network to the server VLAN; use MAC
address port locking if you like.
On our LAN, we use everything in the previous paragraph except the port
locking. With your potential attackers having physical access to your
network like this, I think your only realistic goal is to make attacks
annoying or difficult to carry out, because you probably won't ever
succeed in making them impossible:
Even if you completely protect your network from unauthorised
connections, can users boot into single user mode and own an authorized
machine? Can they boot it off CD, or FireWire drive? There are steps to
prevent all these things, but could an unsupervised, knowledgeable user
circumvent them? My point is, on a LAN, a determined, skilled,
unsupervised attacker with some time to kill is going to do some damage
to your network. Their skill and your network design will determine how
far they get :-)
Cheers
James
PS: Damn, I really wanted to include the phrase "wooly thinking" in my
answer ;-)
--
James Tolchard
System Administrator
Christ's College Canterbury
DDI: +64-3-364-6806
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden
This email sent to email@hidden
