LISTSERV - PCBUILD Archives - LISTSERV.ICORS.ORG

PCBUILD Archives

Personal Computer Hardware discussion List

PCBUILD@LISTSERV.ICORS.ORG

	LISTSERV Archives
	PCBUILD Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Mac Address of a network card, security
From:	David Gillett <[log in to unmask]>
Reply To:	PCBUILD - Personal Computer Hardware discussion List <[log in to unmask]>
Date:	Thu, 6 Jun 2002 00:53:49 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (53 lines)

On 5 Jun 2002, at 7:17, Westly Montroos wrote:

> Hi,
>
> I have a network with several computers, like 70 computers, all of
> them with Windows 2000, and three servers with Windows 2000 Server
> Edition. I want a lot of security on this network, but I would like
> to begin with the mac address of the workstation.
>
> My first question: when I go to cmd in Windows 2000, if I type this
> commmand "IPCONFIG/ALL" I get this message: "physical address".
> Could the "physical address" be the same as "mac address" of the
> network card?

  Yes.  If the interface that IPCONFIG is reporting is an Ethernet
card, the physical address shown will normally be the MAC address on
the card.

> My second question: If I got the mac address of all the network
> cards on the network, can I do this: configure the servers to give
> access ONLY to the network cards on my network and to deny access
> to netwerk cards that do not have a origin in my network, like a
> laptop that are not in use in the company.

  I don't know of any way to do this *on the servers*.  If your
network is built around one or two fairly fancy *switches*, you may
be able to configure them so that unrecognized MAC addresses are
excluded from your network.

  It's worth asking whether you *should* do this.  Are you willing to
remember to update this configuration every time a new machine is
added, or an old NIC is replaced?  On the other hand, many NICs allow
software to change their MAC address (which gets around the
replacement problem...), but also many inexpensive routers allow this
as well.  If the router supports NAT, a user could have an entire
clandestine LAN hiding behind an apparently valid IP and MAC address,
and you'd never know about it from the network traffic.

  Anyway:  If you have a switch that allows VLANs specified by MAC
address, then you can use that to segregate known/approved MAC
addresses from all others.  You just can't really be 100% certain
that those MAC addresses belong to the machines you think they're
supposed to.  (If your users are up to spoofing MAC addresses,
though, your battle may already be lost.)

David Gillett

            Do you want to signoff PCBUILD or just change to
                    Digest mode - visit our web site:
                   http://freepctech.com/pcbuild.shtml

ATOM RSS1 RSS2

LISTSERV.ICORS.ORG