Blocking by MAC Address -

I am trying to block out mac addresses from rogue computers attaching
to our network. I was thinking of setting up a reservation on our DHCP
server with a bogus ip address (10.10.10.1) for each of the mac
addresses of the computers that I want to lock out. Can anyone give me
any insight on the best practices for blocking by mac address

thanks

Hi,

I am not aware of any way on doing this on Windows out of the box. You have
to know, that MAC can be changed in about 10 seconds on any computer. Now
all I have to do is assign myself MAC of your computer (since you have
access to everything)...
What are you trying to protect? There might be better way of doing what you
want.

--
Mike
Microsoft MVP - Windows Security

"aman11" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
>I am trying to block out mac addresses from rogue computers attaching
> to our network. I was thinking of setting up a reservation on our DHCP
> server with a bogus ip address (10.10.10.1) for each of the mac
> addresses of the computers that I want to lock out. Can anyone give me
> any insight on the best practices for blocking by mac address
>
> thanks
>

Good morning.

Best way would be to use 802.1X protocol.

It requires, of course, switches supporting the protocol and a
radius/certification authority (if you have Windows 2003 it is easy to set up
a C.A. and radius).
Then you put a digital certificate an all the recognized workstations.

When a computer connects to a network switch, the switch verifies the
computer certificate on the C.A. using radius.
If the computer is without a valid certificate, the port of your switch will
stay off, cutting out the rogues.

This is the only "secure enough" metod I know and, most important, it is the
only one giving you the chance to block a rogue BEFORE it gets an ip address
of your network from DHCP.

"Miha Pihler [MVP]" wrote:

> Hi,
>
> I am not aware of any way on doing this on Windows out of the box. You have
> to know, that MAC can be changed in about 10 seconds on any computer. Now
> all I have to do is assign myself MAC of your computer (since you have
> access to everything)...
> What are you trying to protect? There might be better way of doing what you
> want.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "aman11" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) oups.com...
> >I am trying to block out mac addresses from rogue computers attaching
> > to our network. I was thinking of setting up a reservation on our DHCP
> > server with a bogus ip address (10.10.10.1) for each of the mac
> > addresses of the computers that I want to lock out. Can anyone give me
> > any insight on the best practices for blocking by mac address
> >
> > thanks
> >
>
>
>

Hi,

Mitigating the Threats of Rogue Machines-802.1X or IPsec?
http://www.microsoft.com/technet/com...mt/sm0805.mspx

--
Mike
Microsoft MVP - Windows Security

"FabrizioV" <(E-Mail Removed)> wrote in message
news:BC754371-C79E-49D7-8BDC-(E-Mail Removed)...
> Good morning.
>
> Best way would be to use 802.1X protocol.
>
> It requires, of course, switches supporting the protocol and a
> radius/certification authority (if you have Windows 2003 it is easy to set
> up
> a C.A. and radius).
> Then you put a digital certificate an all the recognized workstations.
>
> When a computer connects to a network switch, the switch verifies the
> computer certificate on the C.A. using radius.
> If the computer is without a valid certificate, the port of your switch
> will
> stay off, cutting out the rogues.
>
> This is the only "secure enough" metod I know and, most important, it is
> the
> only one giving you the chance to block a rogue BEFORE it gets an ip
> address
> of your network from DHCP.
>
> "Miha Pihler [MVP]" wrote:
>
>> Hi,
>>
>> I am not aware of any way on doing this on Windows out of the box. You
>> have
>> to know, that MAC can be changed in about 10 seconds on any computer. Now
>> all I have to do is assign myself MAC of your computer (since you have
>> access to everything)...
>> What are you trying to protect? There might be better way of doing what
>> you
>> want.
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "aman11" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed) oups.com...
>> >I am trying to block out mac addresses from rogue computers attaching
>> > to our network. I was thinking of setting up a reservation on our DHCP
>> > server with a bogus ip address (10.10.10.1) for each of the mac
>> > addresses of the computers that I want to lock out. Can anyone give me
>> > any insight on the best practices for blocking by mac address
>> >
>> > thanks
>> >
>>
>>
>>

Good morning Mike.
The article is really interesting and IPSEC is an option to consider.
An issue (IMHO) is the overhead you'll have on the clients and (most
important) on the servers, when you encrypt all the traffic on your network.
As you can see in this article :
http://www.microsoft.com/technet/com...k/net0610.mspx

"CPU on servers can be a problem but it can be mitigated by using IPSEC
offload card from vendors like 3COM and Intel."

So, if you already have or you are going to buy SSL/IPSEC dedicated cards
for your data center IPSEC is a good choice.
Else, if you have Windows 2003 and 802.1x enabled network switches, dot1x
should be your choice.

Fabrizio Volpe


"Miha Pihler [MVP]" wrote:

> Hi,
>
> Mitigating the Threats of Rogue Machines-802.1X or IPsec?
> http://www.microsoft.com/technet/com...mt/sm0805.mspx
>
> --
> Mike
> Microsoft MVP - Windows Security

Hi,

You don't have to use encryption. You can set up ESP-Null. In this case
packets only get authenticated. This will still add up a bit to the
processor since it has to check every packet but this will in general be few
percents (3-5). Most of server's CPU is more or less below 10% so adding
3-5% should not be a problem.

--
Mike
Microsoft MVP - Windows Security

"FabrizioV" <(E-Mail Removed)> wrote in message
news:7037C317-BE2F-4ECC-9CB1-(E-Mail Removed)...
> Good morning Mike.
> The article is really interesting and IPSEC is an option to consider.
> An issue (IMHO) is the overhead you'll have on the clients and (most
> important) on the servers, when you encrypt all the traffic on your
> network.
> As you can see in this article :
> http://www.microsoft.com/technet/com...k/net0610.mspx
>
> "CPU on servers can be a problem but it can be mitigated by using IPSEC
> offload card from vendors like 3COM and Intel."
>
> So, if you already have or you are going to buy SSL/IPSEC dedicated cards
> for your data center IPSEC is a good choice.
> Else, if you have Windows 2003 and 802.1x enabled network switches, dot1x
> should be your choice.
>
> Fabrizio Volpe
>
>
> "Miha Pihler [MVP]" wrote:
>
>> Hi,
>>
>> Mitigating the Threats of Rogue Machines-802.1X or IPsec?
>> http://www.microsoft.com/technet/com...mt/sm0805.mspx
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security

You can do this by validating the switches ... if you have cisco you can send
a trap each time a mac is added to a port and then validate that the mac is
authorized ....

regards

"Miha Pihler [MVP]" wrote:

> Hi,
>
> You don't have to use encryption. You can set up ESP-Null. In this case
> packets only get authenticated. This will still add up a bit to the
> processor since it has to check every packet but this will in general be few
> percents (3-5). Most of server's CPU is more or less below 10% so adding
> 3-5% should not be a problem.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "FabrizioV" <(E-Mail Removed)> wrote in message
> news:7037C317-BE2F-4ECC-9CB1-(E-Mail Removed)...
> > Good morning Mike.
> > The article is really interesting and IPSEC is an option to consider.
> > An issue (IMHO) is the overhead you'll have on the clients and (most
> > important) on the servers, when you encrypt all the traffic on your
> > network.
> > As you can see in this article :
> > http://www.microsoft.com/technet/com...k/net0610.mspx
> >
> > "CPU on servers can be a problem but it can be mitigated by using IPSEC
> > offload card from vendors like 3COM and Intel."
> >
> > So, if you already have or you are going to buy SSL/IPSEC dedicated cards
> > for your data center IPSEC is a good choice.
> > Else, if you have Windows 2003 and 802.1x enabled network switches, dot1x
> > should be your choice.
> >
> > Fabrizio Volpe
> >
> >
> > "Miha Pihler [MVP]" wrote:
> >
> >> Hi,
> >>
> >> Mitigating the Threats of Rogue Machines-802.1X or IPsec?
> >> http://www.microsoft.com/technet/com...mt/sm0805.mspx
> >>
> >> --
> >> Mike
> >> Microsoft MVP - Windows Security
>
>
>

As an attacker I can still bypass 802.1x on the switch.

--
Mike
Microsoft MVP - Windows Security

"Antonio Cardoso" <(E-Mail Removed)> wrote in
message news:8A2BC001-F1B7-4E67-8726-(E-Mail Removed)...
> You can do this by validating the switches ... if you have cisco you can
> send
> a trap each time a mac is added to a port and then validate that the mac
> is
> authorized ....
>
> regards
>
> "Miha Pihler [MVP]" wrote:
>
>> Hi,
>>
>> You don't have to use encryption. You can set up ESP-Null. In this case
>> packets only get authenticated. This will still add up a bit to the
>> processor since it has to check every packet but this will in general be
>> few
>> percents (3-5). Most of server's CPU is more or less below 10% so adding
>> 3-5% should not be a problem.
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "FabrizioV" <(E-Mail Removed)> wrote in message
>> news:7037C317-BE2F-4ECC-9CB1-(E-Mail Removed)...
>> > Good morning Mike.
>> > The article is really interesting and IPSEC is an option to consider.
>> > An issue (IMHO) is the overhead you'll have on the clients and (most
>> > important) on the servers, when you encrypt all the traffic on your
>> > network.
>> > As you can see in this article :
>> > http://www.microsoft.com/technet/com...k/net0610.mspx
>> >
>> > "CPU on servers can be a problem but it can be mitigated by using IPSEC
>> > offload card from vendors like 3COM and Intel."
>> >
>> > So, if you already have or you are going to buy SSL/IPSEC dedicated
>> > cards
>> > for your data center IPSEC is a good choice.
>> > Else, if you have Windows 2003 and 802.1x enabled network switches,
>> > dot1x
>> > should be your choice.
>> >
>> > Fabrizio Volpe
>> >
>> >
>> > "Miha Pihler [MVP]" wrote:
>> >
>> >> Hi,
>> >>
>> >> Mitigating the Threats of Rogue Machines-802.1X or IPsec?
>> >> http://www.microsoft.com/technet/com...mt/sm0805.mspx
>> >>
>> >> --
>> >> Mike
>> >> Microsoft MVP - Windows Security
>>
>>
>>

not quite,

the ideia is to change dynamicaly the VLAN of the port.

VLAN A-> Connection VLAN
VLAN B-> Validation VLAN
VLAN C-> Production VLAN

user allways connect to VLAN A
user must go to server from VLAN B to validate the machine is OK
user pass machine OK, then go to VLAN C

allways check if there is a 2 MAC in one port, if so, port-down ... :-)
this means no hubs in the enviroment.

regards

"Miha Pihler [MVP]" wrote:

> As an attacker I can still bypass 802.1x on the switch.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Antonio Cardoso" <(E-Mail Removed)> wrote in
> message news:8A2BC001-F1B7-4E67-8726-(E-Mail Removed)...
> > You can do this by validating the switches ... if you have cisco you can
> > send
> > a trap each time a mac is added to a port and then validate that the mac
> > is
> > authorized ....
> >
> > regards
> >
> > "Miha Pihler [MVP]" wrote:
> >
> >> Hi,
> >>
> >> You don't have to use encryption. You can set up ESP-Null. In this case
> >> packets only get authenticated. This will still add up a bit to the
> >> processor since it has to check every packet but this will in general be
> >> few
> >> percents (3-5). Most of server's CPU is more or less below 10% so adding
> >> 3-5% should not be a problem.
> >>
> >> --
> >> Mike
> >> Microsoft MVP - Windows Security
> >>
> >> "FabrizioV" <(E-Mail Removed)> wrote in message
> >> news:7037C317-BE2F-4ECC-9CB1-(E-Mail Removed)...
> >> > Good morning Mike.
> >> > The article is really interesting and IPSEC is an option to consider.
> >> > An issue (IMHO) is the overhead you'll have on the clients and (most
> >> > important) on the servers, when you encrypt all the traffic on your
> >> > network.
> >> > As you can see in this article :
> >> > http://www.microsoft.com/technet/com...k/net0610.mspx
> >> >
> >> > "CPU on servers can be a problem but it can be mitigated by using IPSEC
> >> > offload card from vendors like 3COM and Intel."
> >> >
> >> > So, if you already have or you are going to buy SSL/IPSEC dedicated
> >> > cards
> >> > for your data center IPSEC is a good choice.
> >> > Else, if you have Windows 2003 and 802.1x enabled network switches,
> >> > dot1x
> >> > should be your choice.
> >> >
> >> > Fabrizio Volpe
> >> >
> >> >
> >> > "Miha Pihler [MVP]" wrote:
> >> >
> >> >> Hi,
> >> >>
> >> >> Mitigating the Threats of Rogue Machines-802.1X or IPsec?
> >> >> http://www.microsoft.com/technet/com...mt/sm0805.mspx
> >> >>
> >> >> --
> >> >> Mike
> >> >> Microsoft MVP - Windows Security
> >>
> >>
> >>
>
>
>

Again an attacker could still bypass 802.1x with this configuration.

Switch will only see one MAC. What is stopping an attacker to assign himself
same MAC as a valid computer? There are few other ways to fool switch into
allowing more then one MAC per port (even if configured otherwise).

This is very well described here under: "Why 802.1X on wired networks is
insufficient"
http://www.microsoft.com/technet/com...mt/sm0805.mspx

--
Mike
Microsoft MVP - Windows Security

"Antonio Cardoso" <(E-Mail Removed)> wrote in
message news:7C7362AC-1264-4782-961B-(E-Mail Removed)...
> not quite,
>
> the ideia is to change dynamicaly the VLAN of the port.
>
> VLAN A-> Connection VLAN
> VLAN B-> Validation VLAN
> VLAN C-> Production VLAN
>
> user allways connect to VLAN A
> user must go to server from VLAN B to validate the machine is OK
> user pass machine OK, then go to VLAN C
>
> allways check if there is a 2 MAC in one port, if so, port-down ... :-)
> this means no hubs in the enviroment.
>
> regards
>
> "Miha Pihler [MVP]" wrote:
>
>> As an attacker I can still bypass 802.1x on the switch.
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Antonio Cardoso" <(E-Mail Removed)> wrote in
>> message news:8A2BC001-F1B7-4E67-8726-(E-Mail Removed)...
>> > You can do this by validating the switches ... if you have cisco you
>> > can
>> > send
>> > a trap each time a mac is added to a port and then validate that the
>> > mac
>> > is
>> > authorized ....
>> >
>> > regards
>> >
>> > "Miha Pihler [MVP]" wrote:
>> >
>> >> Hi,
>> >>
>> >> You don't have to use encryption. You can set up ESP-Null. In this
>> >> case
>> >> packets only get authenticated. This will still add up a bit to the
>> >> processor since it has to check every packet but this will in general
>> >> be
>> >> few
>> >> percents (3-5). Most of server's CPU is more or less below 10% so
>> >> adding
>> >> 3-5% should not be a problem.
>> >>
>> >> --
>> >> Mike
>> >> Microsoft MVP - Windows Security
>> >>
>> >> "FabrizioV" <(E-Mail Removed)> wrote in message
>> >> news:7037C317-BE2F-4ECC-9CB1-(E-Mail Removed)...
>> >> > Good morning Mike.
>> >> > The article is really interesting and IPSEC is an option to
>> >> > consider.
>> >> > An issue (IMHO) is the overhead you'll have on the clients and (most
>> >> > important) on the servers, when you encrypt all the traffic on your
>> >> > network.
>> >> > As you can see in this article :
>> >> > http://www.microsoft.com/technet/com...k/net0610.mspx
>> >> >
>> >> > "CPU on servers can be a problem but it can be mitigated by using
>> >> > IPSEC
>> >> > offload card from vendors like 3COM and Intel."
>> >> >
>> >> > So, if you already have or you are going to buy SSL/IPSEC dedicated
>> >> > cards
>> >> > for your data center IPSEC is a good choice.
>> >> > Else, if you have Windows 2003 and 802.1x enabled network switches,
>> >> > dot1x
>> >> > should be your choice.
>> >> >
>> >> > Fabrizio Volpe
>> >> >
>> >> >
>> >> > "Miha Pihler [MVP]" wrote:
>> >> >
>> >> >> Hi,
>> >> >>
>> >> >> Mitigating the Threats of Rogue Machines-802.1X or IPsec?
>> >> >> http://www.microsoft.com/technet/com...mt/sm0805.mspx
>> >> >>
>> >> >> --
>> >> >> Mike
>> >> >> Microsoft MVP - Windows Security
>> >>
>> >>
>> >>
>>
>>
>>