[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewall-wizards
Subject:    Re: [fw-wiz] DHCP in a corporate MS environment - Security Risk?
From:       "Ben Nagy" <ben () iagu ! net>
Date:       2003-01-29 9:56:29
[Download RAW message or body]

----- Original Message -----
From: "Luca Berra" <bluca@comedia.it>
To: <firewall-wizards@honor.icsalabs.com>
Sent: Wednesday, January 29, 2003 12:23 AM
Subject: Re: [fw-wiz] DHCP in a corporate MS environment - Security Risk?


> On Sat, Jan 25, 2003 at 12:53:35AM +0100, Luca Berra wrote:
> >On Wed, Jan 22, 2003 at 09:21:25AM +0100, Ben Nagy wrote:
> >>Put me down as a "me too" for Wes's post.
> >>
> >>Static IP assignment for individual clients is insane. If you want
> >>strong(ish) machine-based security then look at switch port MAC filters;
> >>they're also insane from a management point of view but at least they
> >>actually offer a positive security delta.
> >
> >you will probably want to implement 802.1X, MAC filters are a nightmare
> >to manage.
>
> besides that mac address can be faked, and if the scenario is someone
> having access to the client workstation lan and trying to escalate
> privileges it is not even difficult to gather the correct ip/mac combo.
>
> L.

Switch port MAC filters mean that an attacker needs to be sitting on the
correct switch port, as well as being able to fake their MAC address (which,
although possible, isn't as easy with ethernet devices as it is with
802.11).

If we're assuming that our attacker can easily forge MAC addresses, then I
don't see why the well-known 802.1X attacks aren't just as dangerous when
we're using it on ethernet as when it's used on 802.11.

I'd suggest that against an attacker who can forge MAC addresses then
port-MAC filters are actually stronger than 802.1X, if only because you can
still apply physical security based on the patch panels, wall-points and
switch ports. I'm also happy to concede that it's a dumb way to try and
administer a network.

I'm interested in this push towards 802.1X on ethernet - I'm wondering if
someone has spent a longer time than I have thinking about risks and threat
scenarios?

Cheers,

ben



_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic