From owner-freebsd-questions@FreeBSD.ORG Wed Jan 14 11:06:17 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 588C21065675 for ; Wed, 14 Jan 2009 11:06:17 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 99CDE8FC2B for ; Wed, 14 Jan 2009 11:06:16 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from lack-of-gravitas.thebunker.net (gateway.ash.thebunker.net [213.129.64.4]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.3/8.14.3) with ESMTP id n0EB5ou0024670 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 14 Jan 2009 11:05:58 GMT (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.8.0 smtp.infracaninophile.co.uk n0EB5ou0024670 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=infracaninophile.co.uk; s=200708; t=1231931158; bh=ssGKQnt+3LDDIWO9THLv1J9vbmw4uJNiMGKPzXtOyxQ=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding:Cc:Content-Type: Date:From:In-Reply-To:Message-ID:Mime-Version:References:To; z=Message-ID:=20<496DC70D.90401@infracaninophile.co.uk>|Date:=20Wed ,=2014=20Jan=202009=2011:05:49=20+0000|From:=20Matthew=20Seaman=20 |Organization:=20Infracaninophile |User-Agent:=20Thunderbird=202.0.0.19=20(X11/20090112)|MIME-Versio n:=201.0|To:=20John=20Conover=20|CC:=20freebsd- questions@freebsd.org|Subject:=20Re:=20Knowledge=20of=20MAC=20addr esses=20a=20security=20issue?|References:=20<20090114095622.19284. qmail@rahul.net>|In-Reply-To:=20<20090114095622.19284.qmail@rahul. net>|X-Enigmail-Version:=200.95.6|Content-Type:=20text/plain=3B=20 charset=3DUTF-8=3B=20format=3Dflowed|Content-Transfer-Encoding:=20 7bit; b=O6Vm+ZkBymsk8Hb1L0qrGvqngXC1jG+ZSB3Luirj6jmIVLCUl5UQdjg8kpLrxYyYv cdRZTbEVxU13aM609eUTuJdvj8lBCEDzA7c5CsOmBXMeE5vUsCQNwpvs0XPTrfEbcr ccYilpD1hsNmxK9+oQ+k/nRiub7SgIbr3OCpkOgs= Message-ID: <496DC70D.90401@infracaninophile.co.uk> Date: Wed, 14 Jan 2009 11:05:49 +0000 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.19 (X11/20090112) MIME-Version: 1.0 To: John Conover References: <20090114095622.19284.qmail@rahul.net> In-Reply-To: <20090114095622.19284.qmail@rahul.net> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0.1 (smtp.infracaninophile.co.uk [81.187.76.162]); Wed, 14 Jan 2009 11:05:58 +0000 (GMT) X-Virus-Scanned: ClamAV 0.94.2/8863/Wed Jan 14 07:08:56 2009 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VERIFIED autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-questions@freebsd.org Subject: Re: Knowledge of MAC addresses a security issue? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jan 2009 11:06:18 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 John Conover wrote: | Does knowledge of the internal MAC addresses on a network, (including | the routers,) present a security issue? In a word: yes. With caveats. An attacker with knowledge of the MAC addresses of your equipment *and* access to the same Layer 2 network where that kit is installed can mount easy denial of service or man-in-the-middle type attacks against those servers. Of course, if the attacker has access to the L2 network segment, then it's pretty easy for them to discover MAC addresses just from passing traffic or the ARP cache of whatever device they've compromised. Protecting MAC addresses at that level is basically impossible. Or in other words, don't worry too much about trying to hide MAC addresses inside your network -- it's far more important to ensure that the equipment on that same network segment is *all* locked down well. Any easy targets on a network can act as staging posts through which to mount attacks against the more interesting machines. If the attacker doesn't have access to that L2 network, then their knowing what the MAC addresses are will actually identify equipment manufacturers and possibly even specific hardware variants, which could be invaluable to them in developing an attack. MAC addresses are a somewhat unusual means of doing this sort of reconnaissance, since either you've basically got to have already succeeded in breaking in, or you have to mount a social engineering attack against the sort of technically adept people that know what a MAC address is in order to get hold of them Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. Flat 3 ~ 7 Priory Courtyard PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate ~ Kent, CT11 9PW, UK -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREDAAYFAkltxw0ACgkQ8Mjk52CukIzgpQCfcxNMMmS0Hh/x/EqRUzY6OCBv PzkAn0VSMAzlDj94MePtQipuftyW87jd =632b -----END PGP SIGNATURE-----