Date: Mon, 5 Apr 2004 13:09:52 +0300 From: Adrian Penisoara <ady@freebsd.ady.ro> To: freebsd-security@freebsd.org Subject: Q: Controlling access at the Ethernet level Message-ID: <611C2010-86E9-11D8-A962-000A95776E22@freebsd.ady.ro>
next in thread | raw e-mail | index | archive | help
Hi,
I am searching for a solution that will enable me to control the
access of clients to a Ethernet network that spans over about an entire
quorter; most of the connected stations are running MS Windows.
We are facing service theft through impersonation, either solely IP
or both IP and Ethernet MAC address. Securing IP access was solved
using a static ARP scheme (we used "staticarp" for the internal gateway
interface and tied to it a fixed list of IP/MAC tuples), but some of
the clients learnt how to change both the IP and the MAC.
We have thought about using static MAC entries per port on managed
switches installed at the client endpoints, but that would require a
overwhelming budget. We are also thinking about L2TP and PPPoE, but I
am uncertain about compatibility.
What would you recommand ? Are there any other elegant solutions ?
I also heard about 802.1x technology and seems to be an interesting
and professional alternative; I just don't know how well supported is
on the server side, namely FreeBSD.
Thank you.
--
Ady (@freebsd.ady.ro)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?611C2010-86E9-11D8-A962-000A95776E22>