Blocking access to a network

Not entirely true. The DHCP server (in some NAT routers) can be configured to always assign the same IP address to a host based on its MAC address. So the host is configured for DHCP for its IP assignment but the DHCP server in the router always gives that host the same IP address. I had a D-Link DI-604 and this was quite handy to allow me to configure all the hosts the same (using the default of DHCP in the TCP setup) and control back at the router's DHCP server what "static" IP address always got assigned to that host out of the available IP pool. I could control the static IP address assignment at the router instead of having to wander over to each host and go through the manual TCP configuration process. Another advantage is that you could configure in the router's DHCP setup which host was the target when punching through its firewall to define a virtual server, like changing which host would be the external exposed web server (so you could slide out a different web host without having to touch to original web host). I miss having the "static" IP assignment from the DHCP pool when my DI-604 died and I replaced it with a Linksys BEFSR41.

Depending on which operating system is used, the user of a host can change the MAC address reported on the external interface of the NIC. So while the hardware NIC might have a fixed MAC address, the software-controlled MAC can be changed (I don't recall if it needs a reboot). In Windows XP, for example, change the software-controlled MAC in the device properties for the NIC. I think Windows 2000 can do this, too, and an unconfirmed report from a Linux user said he could do it. If the OS won't let you software-control the MAC address, the perp could use their own NAT router that lets them enter whatever MAC address the perp wants to use, like cloning the MAC off an allowed host (i.e., disconnect the hijacked host, insert the NAT router, reconnect the hijacked host, clone the MAC address of the NAT router to be the same as the hijacked host, and then connect the perp's host - a process that many NAT router users are already familiar with).

All you need to do is to set the DHCP to allow only 3 IP addresses, since you won't use the 4th one. So you could use 192.168.1.1 as your DHCP server and use 192.168.1.100 -192.168.1.102 for your IP addresses. You can also filter the traffic by MAC address, so you can input only the 3 valid MAC addresses that are allowed to access your network. Even if he changes his MAC address, he must know the 3 valid MAC addresses, and I doubt it that he has access to this information.

So it's very easy. Limit your network to only 3 IP addresses, and specify which MAC address is allowed to access your network, all others will be blocked.

Mike B

That is true. However, since the router is not a wireless router where a wireless attacker could obtain a DHCP IP from the router for their machine to exploit a wireless connection is when limiting the number of DHCP IP(s) that can be issued by the router would really mean anyting.

So, what if the person was able to get on to your network and uses one of the router's static IP(s) where he configured the NIC on his or her computer and used a static IP? A static IP is any IP on the router that is not controlled by the DHCP server on the router.

Of course, if the router had MAC filtering, you could block the machine's access to the Internet, since all NIC(s) have an unique MAC. But if you blocked by MAC, he or she could always change the NIC on their machine.

Hopefully, the person is not savvy enough to come around the blocking of the IP for the rules you have set.

Duane :)

Yes, that information is in the DHCP table and the IP is linked to the MAC of the NIC. That Information can also be deleted out of the DHCP table too on the router. The Linksys routers have that ability. My Watchguard doesn't have this ability.

Some devices have more features than others.

Yes I have heard of software that can change or simulate the MAC of the NIC.

I looked at the NIC on XP pro and didn't see anything obvious.

Yes the MAC cloning feature on a router could be used.

There are always more than one way to skin a cat.

Duane :)

"MikeB" wrote in news:1117561900.606464.259230 @g14g2000cwa.googlegroups.com:

On a Linksys router except for a wireless one blocking a wireless MAC where you give the MAC of the NIC's you want to have access, MAC filtering on the Linksys requires that you give te MAC of the machine you don't want to have Internet access as I recall.

That may not be true in all cases.

Duane :)

I have a linksys and it doesn't have this ability. What router are you using?

Nope, the Linksys BEFSR41 doesn't have the ability to assign static IP address based on MAC address. Running through the screens:

Setup: Basic Setup - Nothing there regarding assigning static IP addresses. The only settings there are: enable/disable the router's DHCP server, decide on the starting number for dynamically assigned IP addresses to local hosts, and how many maximum local hosts to which it will assign dynamic IP addresses.

That is it for DCHP control. None of the other configuration screens deal with the router's DHCP server. In fact, you have to wander off to the Status screen to then see the DHCP assignment table (which local host got what IP address).

Similarly, the Linksys firewall is abysmal. Nowhere can you configure a schedule of when an IP address or MAC can have Internet access. You cannot perform domain and URL filtering, and you cannot block specific hosts from connecting to each other. The firewall in Linksys sucks compared to the D-Link DI-604. Moving "up" to the Linksys BEFSR41 resulted in losing lots of features; however, I did the "privilege" of paying twice as much for the Linksys.

The Linksys BEFSR41 was a poor replacement for the D-Link DI-604, especially since the Linksys cost twice as much. Yeah, there might be another higher model for Linksys with those missing features but then I would pay twice again to get back the features in the D-Link at one-fourth the cost. If I get another D-Link, however, I will pop out the center tang in the vent holes and might even drill out a vent grill on the top to keep it from running hot.

Neither the Linksys or the D-Link are firewalls. They are simple NAT devices with some features that mimic those found in firewalls, but they are not firewalls and should not be confused with real firewalls.

The BEFSR41 unit is an entry level device, in the sub $50 range, that gets people on the Internet with a hope of not being compromised, it's not a firewall, it a NAT Router - just like the D-Link units.

Even the BEFSX41 unit is not a firewall, it's also just a NAT ROUTER with some enhanced features. The one nice feature the BEFSX41 has that the 604 doesn't is the ability to created dedicated IPSec tunnels between two devices - that's the reason it costs more than the 604.

"Vanguard" wrote in news:Na-dnf6mF9RbagLfRVn- snipped-for-privacy@comcast.com:

That is the 41. The 11S4 v1 router I use to have had that ability. And not going out to the Linksys site and looking at user manuals, I would suspect that most of the others have this ability.

And some routers have more features than others.

Well, you just said it and I suspect that you may be able to delete an entry out of the DHCP table to control assignments of a DHCP IP linked to a NIC's MAC. And that's where I was able to delete DHCP table entries and force an assginment of a DHCP IP to particular NIC MAC if I wanted to do that using the 11S4 router. It was not pretty but it can be done.

Well, you should have gotten a real FW appliance that meets the specs in the link for *What does a FW do*.

I consider the Linksys, D-link and anyother router that fall into that catagory to be NAT routers having FW like features but are not running true FW software in the traditional sense. They are just NAT routers with some FW like features and you're lucky they have SPI.

You should consider getting yourself a low-end FW appliance like a WatchGuard, Netscreen, SnapGear, Cisco, Sonicwall or others a true FW appliance if you want better protection.

The link explains the differences between a NAT router with some packet filtering abilities as opposed to a FW appliance.

However, the NAT router for home usage is good enough as long as one is not doing high risk things like port forwarding.

Duane :)