Blocking a MAC Address on SBS 2003 from all access LAN & WAN

SonicWALL TZ170 Wireless STD OS, handles WLAN DHCP
SBS 2k3, handles LAN DHCP

How do I block a user from gaining access to the internet and/or network?

I have a subcontractor who is not tech savvy who brings in their laptop to work infected and the boss does not want to even spend 1 minute fixing it because they are not really a part of our company. To eliminate any threats they may bring in he wants them to have NO internet or network access. I have the MAC address. They connect via Ethernet *not* wireless. Wireless access is being blocked via MAC address filtering on the SonicWALL if they should try to connect to the WLAN.
LVL 31
Blue Street TechLast KnightAsked:
Who is Participating?
 
Spar-QCommented:
What are you using for switching? Any enterprise grade switch should be able to block access to a certain mac address to a switch port. I know cisco can do it.
0
 
Blue Street TechLast KnightAuthor Commented:
@Spar-Q: Thanks for the quick response! Firewall/Router is the SonicWALL...all the switches are dumb (unmanaged).
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
Spar-QCommented:
Then there is no reliable way to accomplish your goal. I'm not familliar with how the sonicwall works, but you may be able to block access to the internet from it via mac filtering... but he could get onto the network just fine via setting his IP statically if he wanted.

If you are assuming he is absolutely too stupid to do that, and will rely solely on DHCP, then you can try setting a reservation on the server using his MAC address, and seclude him to some random subnet not used on your network. Like, 10.,234.134.0 for example. I'm not 100% sure this will work, but it's an idea that just came to mind. This will limit his ability to communicate with any other hosts on the network, except maybe just the DHCP server.

I'll play around with this idea and see if I can find instructions for you to do it.
0
 
Blue Street TechLast KnightAuthor Commented:
Yes, she is not tech savvy at all...she would not even know how to assign a static IP address to herself.

Thanks for diggin deeper.
0
 
Spar-QCommented:
Hell - I just played around in my server 2008 r2 VM, and it may be easier than that, even.

Right click on the IPV4 (and IPV6) parts of the tree in the DHCP server. Select properties. Go to the "Filters" tab. Check off Deny. Now go to the filters section under the IPV4 and IPV6 trees, and add the MAC address to those lists. It will prevent that MAC from getting a DHCP lease.

But as I stated earlier. The person could circumvent that by setting an IP manually.
0
 
Blue Street TechLast KnightAuthor Commented:
In 2k3 I don't have an IPV4 or 6 part of the tree under the DNCP server. Attached is what I am looking at.
DHCP-Tree-SBS2k3.JPG
0
 
Spar-QCommented:
Oh, hmm. I misread that you were using sbs2008. I'll have to get back to you then. May take until tomorrow.
0
 
Blue Street TechLast KnightAuthor Commented:
I'm not sure if this will work either but here is what I did so far. (attached)
DHCP-ErroneousReservation.JPG
0
 
Spar-QCommented:
That would work to prevent access to the internet, but the machine would still be able to communicate over the network. A virus could broadcast to 192.168.0.255 or 255.255.255.255, and other machines would have to process the packet.

But now that I say that, I think my previous hack solution would produce the same vulnerability. A broadcast to 255.255.255.255 would hit all machines, even if the computer's IP was 199.199.199.198.

So in the end, your solution will help mitigate SOME threats, its still not flawless. You would need a managed switch to really block access.
0
 
Blue Street TechLast KnightAuthor Commented:
I discarded our workaround and installed the Call Out addon successfully. I am not seeing her registered in DHCP but I also have not confirmed that she has tried as of yet...but the solution looks promising. If she gains no IP nothing will transmit, correct?!
0
 
Spar-QCommented:
She will get an IP of 169.254.x.x with subnet 255.255.0.0. As stated, a broadcast to 255.255.255.255 will still reach all computers on the segment of LAN not separated by your sonicwall. Also, she can communicate with any other PC on the segment with apipa.
0
 
Blue Street TechLast KnightAuthor Commented:
Aaa ic. So this IS still a faulty solution in lowering threat risk. Any other thoughts on how to do this then?
0
 
Spar-QCommented:
Only way, like I said, is to block it at the switch port. But since your switch is unmanaged, that's a non-starter.
0
 
Spar-QCommented:
Well, here's a convoluted solution: implement ipsec on your network, and only allow communication that is authenticated. I'm no ipsec expert, but I think it could work. It would be overkill though, and would degrade your network performance and be a bitch to setup on all computers.
0
 
Blue Street TechLast KnightAuthor Commented:
I see. Yeah this is a small environment - I think your right with overkill. If she can't follow directions they should just replace her. I will award you points for the Call Out solution - initially w/o the security threat issues it does satisfy the requirement on not letting her on the internet or network in the non-tech savvy way, meaning she would not know how to access it via apipa, etc. Simply trying to go to the web and it failing will suffice. Thanks for all your efforts!

P.S. here is the site to download the Call Out Add On: http://blogs.technet.com/b/teamdhcp/archive/2007/10/03/dhcp-server-callout-dll-for-mac-address-based-filtering.aspx. The site listed above in the solution's link is broken.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.