Hash: RIPEMD160

John Conover wrote:
| Does knowledge of the internal MAC addresses on a network, (including
| the routers,) present a security issue?

In a word: yes. With caveats.

An attacker with knowledge of the MAC addresses of your equipment *and*
access to the same Layer 2 network where that kit is installed can mount
easy denial of service or man-in-the-middle type attacks against those

Of course, if the attacker has access to the L2 network segment, then it's
pretty easy for them to discover MAC addresses just from passing traffic
or the ARP cache of whatever device they've compromised.  Protecting MAC
addresses at that level is basically impossible.  Or in other words, don't
worry too much about trying to hide MAC addresses inside your network --
it's far more important to ensure that the equipment on that same network
segment is *all* locked down well.  Any easy targets on a network can act
as staging posts through which to mount attacks against the more
interesting machines.

If the attacker doesn't have access to that L2 network, then their knowing
what the MAC addresses are will actually identify equipment manufacturers
and possibly even specific hardware variants, which could be invaluable to
them in developing an attack.  MAC addresses are a somewhat unusual means
of doing this sort of reconnaissance, since either you've basically got to
have already succeeded in breaking in, or you have to mount a  social
engineering attack against the sort of technically adept people that know
what a MAC address is in order to get hold of them



- --
Dr Matthew J Seaman MA, D.Phil.                       Flat 3
~                                                      7 Priory Courtyard
PGP: http://www.infracaninophile.co.uk/pgpkey         Ramsgate
~                                                      Kent, CT11 9PW, UK
Version: GnuPG v2.0.9 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Reply via email to