locked
How to best control network access based on MAC address RRS feed

  • Question

  • What is the best way to control who can access the network based on MAC address? Probably this is possible with a firewall, but are there other ways? I can think of a dhcp server only releasing IP addresses to certain MAC addresses, but then an user could just set an IP on its client itself.

    What are your insights about this?

    Wednesday, July 6, 2011 8:27 AM

Answers

  • Blocking DHCP is easiest, as well as least secure.  If you block at the dhcp level, someone could still assign a static IP address to their nic and play on your network.  If that is a concern for you, then there are other possibilities.  Most newer managed network switches contain mac address whitelists.  You login to the switch and enter a mac address for a specific port.  Then the only way someone can join your network is to spoof a mac address for a specific port on your switch.  This is far more secure than dhcp request blocking, but it's also more labor intensive.  The next step beyond mac blocking is called network access control.  You can use a network switch or dedicated appliance that will require someone to authenticate before their switch port is allowed to communicate on the network.  NAC is very convenient, and very expensive.  Finally, there are client-side host based security systems that accomplish the same end-goal through a different manner.  If you don't care if someone can access your LAN, so long as they can not access anything on the lan, then you could go with a software based solution such as the mcaffee network access control.  In essence, you install software on all of your servers and endpoints.  That software only allows other authorized managed systems to talk to each other.  So if someone acquires an IP address, they still can't talk to any of your servers because they're not running the managed software.

    In a small business environment that did not have the budget for a NAC appliance, I would block mac addresses at the switch.  This makes it inconvenient enough to block people from bringing in their laptops and broadcasting a virus to your business systems.

    There are always multiple methods for security a network, however.  Perhaps if you indicated why you wanted to prevent uncontrolled joins to your network, then you might receive other ideas such firewalling, QOS, authentication-based access, a big guy walking around with a stick, and so on.

    • Marked as answer by Chrisszs Tuesday, July 12, 2011 8:11 AM
    Thursday, July 7, 2011 8:15 PM

All replies

  • well you can use DHCP to manage the list of mac address.. in DHCP there is a features where you can enable DHCP safe features.. basically it allows you to allow or deny access to workstation connecting to your domain..


    Guowen Su | CCNA, CCIP, MCP, MCSA, MCSE, MCTS, MCITP, CEH | http://www.microsoft.com/en/sg/default.aspx Our Goal? VERY SATISFIED Customers. If you're not...let's talk!! Please don't vote me for answers... because i do not want others to feels that i'm cheating ? :) In any case God knows :)
    • Proposed as answer by Soh.M Wednesday, July 6, 2011 2:02 PM
    Wednesday, July 6, 2011 2:01 PM
  • Or you could just lock down the IP settings with GPO or batch file so users cant change the settings and not worry about it. If you didn't want to do that, you could build a kix script that gives members of specific security groups access to network resources. There is plenty of sample script out there to accomplish this.
    Wednesday, July 6, 2011 10:23 PM
  • Windows 2008 DHCP service support Deny and Allow permission base on MAC address.
    Thursday, July 7, 2011 4:17 AM
  • Blocking DHCP is easiest, as well as least secure.  If you block at the dhcp level, someone could still assign a static IP address to their nic and play on your network.  If that is a concern for you, then there are other possibilities.  Most newer managed network switches contain mac address whitelists.  You login to the switch and enter a mac address for a specific port.  Then the only way someone can join your network is to spoof a mac address for a specific port on your switch.  This is far more secure than dhcp request blocking, but it's also more labor intensive.  The next step beyond mac blocking is called network access control.  You can use a network switch or dedicated appliance that will require someone to authenticate before their switch port is allowed to communicate on the network.  NAC is very convenient, and very expensive.  Finally, there are client-side host based security systems that accomplish the same end-goal through a different manner.  If you don't care if someone can access your LAN, so long as they can not access anything on the lan, then you could go with a software based solution such as the mcaffee network access control.  In essence, you install software on all of your servers and endpoints.  That software only allows other authorized managed systems to talk to each other.  So if someone acquires an IP address, they still can't talk to any of your servers because they're not running the managed software.

    In a small business environment that did not have the budget for a NAC appliance, I would block mac addresses at the switch.  This makes it inconvenient enough to block people from bringing in their laptops and broadcasting a virus to your business systems.

    There are always multiple methods for security a network, however.  Perhaps if you indicated why you wanted to prevent uncontrolled joins to your network, then you might receive other ideas such firewalling, QOS, authentication-based access, a big guy walking around with a stick, and so on.

    • Marked as answer by Chrisszs Tuesday, July 12, 2011 8:11 AM
    Thursday, July 7, 2011 8:15 PM
  • Thank you very much for the info guys!
    Tuesday, July 12, 2011 8:12 AM