This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

MAC Filtering on Internal Network

Hello,

We currently have a SG210 UTM deployed with 3 REDs within our network. We have a set of MAC addresses defined for each of the networks (i.e. Internal + 3 RED networks).

We are able to manage who effectively has access to our network easily on the REDs through the MAC whitelist/blacklist option. However, we are not able to do so for our internal network! There doesn't seem to be a easy way for it we think.

Any suggestions on how we should control who can connect to our internal network?

Thanks! 



This thread was automatically locked due to age.
Parents
  • If you are looking at MAC filtering (OSI layer 2), that would be the job of the switch connected to the UTM. You will need a managed switch to do this.

  • So, essentially, there is no way within the UTM's configuration to control who can connect to our internal network and who cannot?

    Our concern is that even if we turn on the DHCP server on the internal network, a user can still assign itself an IP address manually and connect to the network. However, with MAC filtering on, we add an extra layer of security and prevent an outsider from connecting to our network.

    Can you suggest us a way through the Firewall configuration to manage this?

    Thanks!

  • I don't think there is. A person connecting to your network will generally connect via a switch. That will get them on at the layer 2 level. Now that they are physically connected, they can get up to all sorts eg arp poisoning, sniffing etc. The UTM will sit further up the chain and essentially operates at layer 3 and above. If you take the UTM out of the equation, an unknown client will still be connected.

    MAC filtering is a way to prevent this although it is easily overcome. Radius authentication is the defaco standard here if you are trying to prevent a determined user from achieving a connection from an unknown client. It does have administrative overhead though and generally not used for small networks with low users.

    Even your REDS can easily be overcome by a determined user eg mac spoofing etc but I emphasis "a determined user" here. You need to know your risks with regards to this.

    My guess is, the reason you can do it with the REDS (I don't have one) is because they are semi managed ie you can enter MAC addresses within them to not allow whereas your local switch is un-managed.
    To employ MAC filtering at this level, you will need to change your switch to a managed one where you can manage each port.

Reply
  • I don't think there is. A person connecting to your network will generally connect via a switch. That will get them on at the layer 2 level. Now that they are physically connected, they can get up to all sorts eg arp poisoning, sniffing etc. The UTM will sit further up the chain and essentially operates at layer 3 and above. If you take the UTM out of the equation, an unknown client will still be connected.

    MAC filtering is a way to prevent this although it is easily overcome. Radius authentication is the defaco standard here if you are trying to prevent a determined user from achieving a connection from an unknown client. It does have administrative overhead though and generally not used for small networks with low users.

    Even your REDS can easily be overcome by a determined user eg mac spoofing etc but I emphasis "a determined user" here. You need to know your risks with regards to this.

    My guess is, the reason you can do it with the REDS (I don't have one) is because they are semi managed ie you can enter MAC addresses within them to not allow whereas your local switch is un-managed.
    To employ MAC filtering at this level, you will need to change your switch to a managed one where you can manage each port.

Children
No Data