• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 214
  • Last Modified:

Securing your network using MAC Addresses

All, this is a security/switch question so I came to this forum first

I have a problem with people just coming into our offices and plugging there laptops in without asking...:-| Im not best pleased with this but how do I remedy this?

My thoughts are to create a backbone using a layer 3 switch (we have 1 Cisco catalyst switch that we can use) and then create VLANS off of this onto our current switches (this is a seprate idea in that I want to *subnet* certain depts and remote users) ... anyway, my question is can I configure the Cisco switch to accept ONLY certain MAC addreseses? I know I have to build a list of all MAC addresses in the company, however Id rather this than take the chance of someone letting loose a virus just cos we have no *internal* security as such....

Anyone any thoughts on whether this is possible


0
credmood
Asked:
credmood
3 Solutions
 
pseudocyberCommented:
Yes.  You can have MAC based VLANs, but it would be a real Pain in the ... (PITA) to administer.  UNLESS you have a very small number of MAC addresses.

The better solution to what you're looking for is to use 802.1x - port based authentication.  Check this out for more info:  http://tldp.org/HOWTO/html_single/8021X-HOWTO/.  Of course, this would require some investment of time and money, which perhaps you don't have (like me :))

Since you mentioned Cisco, check this out:  
Assigning Host-Based VLANs in Cisco Switch Products Using Cisco Secure User Registration Tool
Introduction

Dynamic virtual LAN (VLAN) membership is a convenient way to dynamically assign end stations to VLANs. Dynamic VLAN assignment is especially useful in administering large networks because you can move a connection from a port on one switch to a port on another switch in the network without reconfiguring the port. Dynamic-access ports work with a


http://www.cisco.com/en/US/products/sw/secursw/ps2136/products_white_paper09186a00801153a6.shtml
0
 
PennGwynCommented:
Cisco switches also have a port security setting which locks ports to work only with the current MAC address, intended to address situations like yours.  Unfortunately, (a) you have to update it whenever a legit MAC address is moved or changed (e.g., replaced NIC card or computer), and (b) it oesn't make MAC spoofing very hard....

802.1x is a better way to go.

0
 
Dr-IPCommented:
Setting up something to keep people from being able to just waltz in the door with a laptop and plug it into the network is a good idea security wise; in your situation it’s only a stopgap measure since you say you have no internal security. A couple of months ago someone got one of our company laptops infected by turning off the antivirus to load in some new software and forgetting to turn it back on when they were done. It took all of about five minutes after they plugged it into the LAN before it started causing problems, but it did no real damage other than locking out a few dozen peoples accounts. If I hadn’t had any security it would have made a real mess out of things and infected most of the computers on the network, but it couldn’t, and only succeeded in being a minor annoyance instead. This is why you need to address the core of your problem, since a compromised computer that is permitted could reek havoc the way you have things.        
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
credmoodAuthor Commented:
Sorry Dr-IP I was a bit flipant with my *no security* statement. I have all the standard security measures in place, virus scans on all machines that update automatically, a software update service that updates MS holes, firewalls that stop the bad people getting in, I also *usually* vet people b4 they plug in, however as we all know you cant be sure with this %100 of the time...., as everyone says its the internal *physical* side of things that has the most flaws. I was just meaning your first line *Setting up something to keep people from being able to just waltz in the door with a laptop and plug it into the network is a good idea security wise* ...

The remote users are always a problem, however I need to a) turn spilt tunneling off and b) set up the cisco vpn client to *kick in* as soon as a connection to the internet is instigated....a problem that Im aware of and need to get round to doing....but as pseudocyber says time and money are not usually on our side ;o)

I'll check out all above, thanks for all your help
0
 
credmoodAuthor Commented:
All, I will be assigning points to you on this, Im just leaving it open until i get my catalyst switch (this coming week) in which im going to test some points from above
0
 
credmoodAuthor Commented:
The switch that I got was'nt up to the task, so Im going to have to bet some money from somewhere and buy a decent one....

Thnaks for all your pointers, I will be using them
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now