Re: Blocking by MAC Address -

not quite,

the ideia is to change dynamicaly the VLAN of the port.

VLAN A-> Connection VLAN
VLAN B-> Validation VLAN
VLAN C-> Production VLAN

user allways connect to VLAN A
user must go to server from VLAN B to validate the machine is OK
user pass machine OK, then go to VLAN C

allways check if there is a 2 MAC in one port, if so, port-down ... :-)
this means no hubs in the enviroment.

regards

"Miha Pihler [MVP]" wrote:

> As an attacker I can still bypass 802.1x on the switch.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Antonio Cardoso" <AntonioCardoso@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
> message news:8A2BC001-F1B7-4E67-8726-1ABAA3457E72@xxxxxxxxxxxxxxxx
> > You can do this by validating the switches ... if you have cisco you can
> > send
> > a trap each time a mac is added to a port and then validate that the mac
> > is
> > authorized ....
> >
> > regards
> >
> > "Miha Pihler [MVP]" wrote:
> >
> >> Hi,
> >>
> >> You don't have to use encryption. You can set up ESP-Null. In this case
> >> packets only get authenticated. This will still add up a bit to the
> >> processor since it has to check every packet but this will in general be
> >> few
> >> percents (3-5). Most of server's CPU is more or less below 10% so adding
> >> 3-5% should not be a problem.
> >>
> >> --
> >> Mike
> >> Microsoft MVP - Windows Security
> >>
> >> "FabrizioV" <FabrizioV@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> news:7037C317-BE2F-4ECC-9CB1-3C42882E71BB@xxxxxxxxxxxxxxxx
> >> > Good morning Mike.
> >> > The article is really interesting and IPSEC is an option to consider.
> >> > An issue (IMHO) is the overhead you'll have on the clients and (most
> >> > important) on the servers, when you encrypt all the traffic on your
> >> > network.
> >> > As you can see in this article :
> >> > http://www.microsoft.com/technet/community/chats/trans/network/net0610.mspx
> >> >
> >> > "CPU on servers can be a problem but it can be mitigated by using IPSEC
> >> > offload card from vendors like 3COM and Intel."
> >> >
> >> > So, if you already have or you are going to buy SSL/IPSEC dedicated
> >> > cards
> >> > for your data center IPSEC is a good choice.
> >> > Else, if you have Windows 2003 and 802.1x enabled network switches,
> >> > dot1x
> >> > should be your choice.
> >> >
> >> > Fabrizio Volpe
> >> >
> >> >
> >> > "Miha Pihler [MVP]" wrote:
> >> >
> >> >> Hi,
> >> >>
> >> >> Mitigating the Threats of Rogue Machines-802.1X or IPsec?
> >> >> http://www.microsoft.com/technet/community/columns/secmgmt/sm0805.mspx
> >> >>
> >> >> --
> >> >> Mike
> >> >> Microsoft MVP - Windows Security
> >>
> >>
> >>
>
>
>
.

Relevant Pages

  • Re: native vlan question
    ... I think using "vlan dot1q tag native" should eliminate this question. ... "default VLAN" - that is what untagged means for incoming packets. ... not putting a tag on outbound packets form that VLAN on that port allows 2 ...
    (comp.dcom.sys.cisco)
  • Re: native vlan question
    ... I think using "vlan dot1q tag native" should eliminate this question. ... "default VLAN" - that is what untagged means for incoming packets. ... not putting a tag on outbound packets form that VLAN on that port allows 2 ...
    (comp.dcom.sys.cisco)
  • Re: native vlan question
    ... I think using "vlan dot1q tag native" should eliminate this question. ... "default VLAN" - that is what untagged means for incoming packets. ... not putting a tag on outbound packets form that VLAN on that port allows 2 ...
    (comp.dcom.sys.cisco)
  • Re: native vlan question
    ... I think using "vlan dot1q tag native" should eliminate this question. ... "default VLAN" - that is what untagged means for incoming packets. ... not putting a tag on outbound packets form that VLAN on that port allows 2 ...
    (comp.dcom.sys.cisco)
  • VLANs
    ... -If I create a VLAN on a few ports, ... switchport access vlan 42 ... any packets ingressing the port are associated with VLAN 42. ...
    (comp.dcom.sys.cisco)