Controlling access at the Ethernet level
Hernan Nuñez
hnunez at vianetworks.com.ar
Tue Apr 6 06:59:56 PDT 2004
Adrian,
ipfw2 enables you to control access from ether_demux() and ether_output_frame() [ipfw(8)]. Some ipfw2 options are dst-mac src-mac mac-type.
Regards,
Hernan
----- Original Message -----
From: "Adrian Penisoara" <ady at freebsd.ady.ro>
To: <freebsd-security at freebsd.org>
Cc: <freebsd-isp at freebsd.org>
Sent: Sunday, April 04, 2004 3:22 PM
Subject: Q: Controlling access at the Ethernet level
> Hi,
>
> I am searching for a solution that will enable me to control the
> access of clients to a Ethernet network that spans over about an entire
> quorter; most of the connected stations are running MS Windows.
>
> We are facing service theft through impersonation, either solely IP
> or both IP and Ethernet MAC address. Securing IP access was solved
> using a static ARP scheme (we used "staticarp" for the internal gateway
> interface and tied to it a fixed list of IP/MAC tuples), but some of
> the clients learnt how to change both the IP and the MAC.
>
> We have thought about using static MAC entries per port on managed
> switches installed at the client endpoints, but that would require a
> overwhelming budget. We are also thinking about L2TP and PPPoE, but I
> am uncertain about compatibility.
>
> What would you recommand ? Are there any other elegant solutions ?
>
> I also heard about 802.1x technology and seems to be an interesting
> and professional alternative; I just don't know how well supported is
> on the server side, namely FreeBSD.
>
> Thank you.
>
> --
> Ady (@freebsd.ady.ro)
>
> _______________________________________________
> freebsd-isp at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"
>
More information about the freebsd-security
mailing list