On 22 Jun 2003 at 13:54, Adam ENDRODI wrote: > How widely do you think changing the MAC address of a NIC via > ``ifconfig <if> hw'' is supported by the various network cards > and drivers out there nowadays? > > My collegue and me have debated several times whether watching > the LAN for non-matching IP-MAC pairs can reveal any useful > information. I argued that it may not, since the MAC is easily > alterable, but he objected, because it's not. Now I ask you to > decide who is right.
Afaik all MII-capable networkcards can change their MAC address. And since most are compatible these days :-) I haven't tried it on a wider range of cards myself but changing MACs should be too much of a problem. All you could do is monitor the MACs / IPs on your network and see if there are any changes which might give you a hint that somebody changed a PC (plugged his laptop into the company-network or so). Afaik there are some packages out that do such monitoring for you. Optionally you could configure MACs in your switch (if you gotta Cisco or the like). Put it in "learn mode" so it learns the macs on all ports and then say "lock ports to these MACs" and you're done. When somebody tries to access the network with a different MAC you can afaik block that port "forever" - even if later he tries to fake the MAC. But you can't really make it secure. If you're thinking about an "untrusted" network (where the MACs might change) you could think of installing a VPN-gateway which authenticates users by tokens stored on the PCs. This way - even if someone fakes the MAC - he won't get through that gate. But thats a special case you have with e.g. wireless connections. Stefan
