RE: Network "Change Management"

Harijs

While I agree with you - this is also going to fool programs like arpwatch.
Or any mac address monitoring software for that matter. That is why I also
suggested 802.1x as further protection, and as always check your firewall
logs, IDS logs and tighten things up as much as possible.

Evan

-----Original Message-----
From: Harijs Buss [mailto:hbush@apollo.lv] 
Sent: 17 September 2004 09:42 AM
To: focus-linux@securityfocus.com
Cc: Evan Pierce; 'Dave Torre'
Subject: Re: Network "Change Management"

On Friday 17 September 2004 00:15, Evan Pierce rakstija:

> Why not rather restrict DHCP to an allowed list of MAC addresses? 

MAC address is very weak identifier.  It can be easily changed by software
e.g. in the laptop to have the same MAC as one of allowed computers. If
somebody will seriously want to add laptop to local network where his
ordinary PC is allowed already, one simple solution will be to get small
cheap home NAT/switch/firewall/router like LinkSys BEFSR41, plug it into
LAN, let it "to clone" allowed MAC address from allowed PC and then connect
whatever he will want to 4-port bilt-in switch working with NAT-ed IP
addresses.  From your LAN's point of view it will still look like one PC
with the right MAC address and one IP address legally obtained from your
"official" DHCP server. Besides, BEFSR41 has built-in firewall so you will
not see any share advertising etc. Certainly this LinkSys device is by far
not the only one such device in the market nowadays, I mentioned it just as
an example. 

Harry