On Mon, September 24, 2012 12:58, Thomas Lange wrote: >>>>>> On Mon, 3 Sep 2012 22:40:08 +0200, "Andreas B. Mundt" >>>>>> <[email protected]> said: > > > * Add the MAC addresses of all machines to be installed to > > dhcpd.conf. You have to make sure that nobody in the network > > can fake a MAC address if you do that by some automatic means. > > > Did I miss something? > > Yes. You _can_ fake MAC addresses easily :-( > I don't know how to prevent this. Maybe setting fixed MAC addresse on > every port of your switch. But this will be a lot of work, and some > (or maybe most) switches can be fooled by MAC address flooding.
Not necessarily a lot of work. Some switches allow you to specify the maximum number of MAC address on a switch (auto-learning them), and once that number has been reached, no other MACs will be paid attention to: http://www.hp.com/rnd/device_help/help/hpwnd/webhelp/HPJ4121A/security_perports.htm http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sg/configuration/guide/port_sec.html#wp1070234 This still doesn't solve MAC spoofing, but it tends to be an obscure enough feature that for the "casual attacker" it will throw a reasonable curve ball. At the end of the day, if you need to really be secure, you need to have some kind of state on the client machine (Kerberos password, 802.1x credentials, etc.)--which generally doesn't exist on a clean image.
