?
Solved

Blocking a MAC Address on SBS 2003 from all access LAN & WAN

Posted on 2011-10-06
16
Medium Priority
?
1,281 Views
Last Modified: 2012-05-12
SonicWALL TZ170 Wireless STD OS, handles WLAN DHCP
SBS 2k3, handles LAN DHCP

How do I block a user from gaining access to the internet and/or network?

I have a subcontractor who is not tech savvy who brings in their laptop to work infected and the boss does not want to even spend 1 minute fixing it because they are not really a part of our company. To eliminate any threats they may bring in he wants them to have NO internet or network access. I have the MAC address. They connect via Ethernet *not* wireless. Wireless access is being blocked via MAC address filtering on the SonicWALL if they should try to connect to the WLAN.
0
Comment
Question by:Blue Street Tech
  • 9
  • 7
16 Comments
 
LVL 3

Expert Comment

by:Spar-Q
ID: 36927953
What are you using for switching? Any enterprise grade switch should be able to block access to a certain mac address to a switch port. I know cisco can do it.
0
 
LVL 27

Author Comment

by:Blue Street Tech
ID: 36927957
@Spar-Q: Thanks for the quick response! Firewall/Router is the SonicWALL...all the switches are dumb (unmanaged).
0
 
LVL 3

Expert Comment

by:Spar-Q
ID: 36927966
Then there is no reliable way to accomplish your goal. I'm not familliar with how the sonicwall works, but you may be able to block access to the internet from it via mac filtering... but he could get onto the network just fine via setting his IP statically if he wanted.

If you are assuming he is absolutely too stupid to do that, and will rely solely on DHCP, then you can try setting a reservation on the server using his MAC address, and seclude him to some random subnet not used on your network. Like, 10.,234.134.0 for example. I'm not 100% sure this will work, but it's an idea that just came to mind. This will limit his ability to communicate with any other hosts on the network, except maybe just the DHCP server.

I'll play around with this idea and see if I can find instructions for you to do it.
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 27

Author Comment

by:Blue Street Tech
ID: 36928030
Yes, she is not tech savvy at all...she would not even know how to assign a static IP address to herself.

Thanks for diggin deeper.
0
 
LVL 3

Expert Comment

by:Spar-Q
ID: 36928066
Hell - I just played around in my server 2008 r2 VM, and it may be easier than that, even.

Right click on the IPV4 (and IPV6) parts of the tree in the DHCP server. Select properties. Go to the "Filters" tab. Check off Deny. Now go to the filters section under the IPV4 and IPV6 trees, and add the MAC address to those lists. It will prevent that MAC from getting a DHCP lease.

But as I stated earlier. The person could circumvent that by setting an IP manually.
0
 
LVL 27

Author Comment

by:Blue Street Tech
ID: 36928130
In 2k3 I don't have an IPV4 or 6 part of the tree under the DNCP server. Attached is what I am looking at.
DHCP-Tree-SBS2k3.JPG
0
 
LVL 3

Expert Comment

by:Spar-Q
ID: 36928137
Oh, hmm. I misread that you were using sbs2008. I'll have to get back to you then. May take until tomorrow.
0
 
LVL 3

Accepted Solution

by:
Spar-Q earned 2000 total points
ID: 36928156
0
 
LVL 27

Author Comment

by:Blue Street Tech
ID: 36928256
I'm not sure if this will work either but here is what I did so far. (attached)
DHCP-ErroneousReservation.JPG
0
 
LVL 3

Expert Comment

by:Spar-Q
ID: 36930489
That would work to prevent access to the internet, but the machine would still be able to communicate over the network. A virus could broadcast to 192.168.0.255 or 255.255.255.255, and other machines would have to process the packet.

But now that I say that, I think my previous hack solution would produce the same vulnerability. A broadcast to 255.255.255.255 would hit all machines, even if the computer's IP was 199.199.199.198.

So in the end, your solution will help mitigate SOME threats, its still not flawless. You would need a managed switch to really block access.
0
 
LVL 27

Author Comment

by:Blue Street Tech
ID: 36932140
I discarded our workaround and installed the Call Out addon successfully. I am not seeing her registered in DHCP but I also have not confirmed that she has tried as of yet...but the solution looks promising. If she gains no IP nothing will transmit, correct?!
0
 
LVL 3

Expert Comment

by:Spar-Q
ID: 36932196
She will get an IP of 169.254.x.x with subnet 255.255.0.0. As stated, a broadcast to 255.255.255.255 will still reach all computers on the segment of LAN not separated by your sonicwall. Also, she can communicate with any other PC on the segment with apipa.
0
 
LVL 27

Author Comment

by:Blue Street Tech
ID: 36932293
Aaa ic. So this IS still a faulty solution in lowering threat risk. Any other thoughts on how to do this then?
0
 
LVL 3

Expert Comment

by:Spar-Q
ID: 36932324
Only way, like I said, is to block it at the switch port. But since your switch is unmanaged, that's a non-starter.
0
 
LVL 3

Expert Comment

by:Spar-Q
ID: 36932351
Well, here's a convoluted solution: implement ipsec on your network, and only allow communication that is authenticated. I'm no ipsec expert, but I think it could work. It would be overkill though, and would degrade your network performance and be a bitch to setup on all computers.
0
 
LVL 27

Author Closing Comment

by:Blue Street Tech
ID: 36932569
I see. Yeah this is a small environment - I think your right with overkill. If she can't follow directions they should just replace her. I will award you points for the Call Out solution - initially w/o the security threat issues it does satisfy the requirement on not letting her on the internet or network in the non-tech savvy way, meaning she would not know how to access it via apipa, etc. Simply trying to go to the web and it failing will suffice. Thanks for all your efforts!

P.S. here is the site to download the Call Out Add On: http://blogs.technet.com/b/teamdhcp/archive/2007/10/03/dhcp-server-callout-dll-for-mac-address-based-filtering.aspx. The site listed above in the solution's link is broken.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn how to PXE Boot both BIOS & UEFI machines with DHCP Policies and Custom Vendor Classes
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question