Hi all I have succesfully set up PPTP VPN access to my company using PoPToP/pppd (thank you Tom for excellent documentation), everything works fine so far. Problem is security. As I understand it, since PPTP ports trough tunnel are opened to whole Internet (have to be), access verification is now based only on username/password combination. Can level of security be raised with MAC verification? I found in shorewall documentation "MAC addresses are only visible within an ethernet segment so all MAC addresses used in verification must belong to devices physically connected to one of the LANs to which your firewall is connected", but still I get info about MAC addresses on Internet adapter as well in syslog, for example: Apr 15 14:20:11 FIREWALL kernel: Shorewall:int2all:DROP:IN=ethXX OUTMAC=00:04:75:a0:5e:f2:00:0d:ed:8a:ca:80:08:00 SRC=68.88.14.151 DST=my.internet.fixed.ip LEN=48 TOS=0x00 PREC=0x00 TTL=107 ID=21260 DF PROTO=TCP SPT=3794 DPT=17300 WINDOW=16384 RES=0x00 SYN URGP=0 MAC info is logged for some rule viloations, not all. Is it up to ISP? IPSEC unfortunatelly cannot be used yet. Any advices about how to secure PPTP access more? Thanks, regards Ivica Glavocic
> Can level of security be raised with MAC verification? I found in shorewall > documentation "MAC addresses are only visible within an ethernet segment so > all MAC addresses used in verification must belong to devices physically > connected to one of the LANs to which your firewall is connected"No, MAC verification cannot add security to your VPN setup. MAC addresses can be spoofed, in fact newer versions of ifconfig on certain OS platforms allow the user to specify the MAC address manually. Also, as the documentations states MAC addresses are only visible on a specific ethernet segment so the MAC address you are seeing in your syslog reference the MAC address of your upstream router.
Gary BuckMasterwrote on 15/04/2005 10:07:29:> > Can level of security be raised with MAC verification? I found inshorewall> > documentation "MAC addresses are only visible within an ethernetsegment so> > all MAC addresses used in verification must belong to devicesphysically> > connected to one of the LANs to which your firewall is connected" > > No, MAC verification cannot add security to your VPN setup. MAC > addresses can be spoofed, in fact newer versions of ifconfig on > certain OS platforms allow the user to specify the MAC address > manually. Also, as the documentations states MAC addresses are only > visible on a specific ethernet segment so the MAC address you are > seeing in your syslog reference the MAC address of your upstream > router. >you could try another vpn connection technology, like openvpn, that relies on key exchange.
http://www.alobbs.com/modules.php?op=modload&name=macc&file=index
"Features
* Set specific MAC address of a network interface
* Set the MAC randomly
* Set a MAC of another vendor
* Set another MAC of the same vendor
* Set a MAC of the same kind (eg: wireless card)
* Display a vendor MAC list (today, 6800 items) to choose from"
On Fri, 2005-04-15 at 08:07 -0500, Gary Buckmaster
wrote:> > Can level of security be raised with MAC verification? I found in
shorewall
> > documentation "MAC addresses are only visible within an ethernet
segment so
> > all MAC addresses used in verification must belong to devices
physically
> > connected to one of the LANs to which your firewall is connected"
>
> No, MAC verification cannot add security to your VPN setup. MAC
> addresses can be spoofed, in fact newer versions of ifconfig on
> certain OS platforms allow the user to specify the MAC address
> manually. Also, as the documentations states MAC addresses are only
> visible on a specific ethernet segment so the MAC address you are
> seeing in your syslog reference the MAC address of your upstream
> router.
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>
Hi people, ryanag@zoominternet.net wrote:> http://www.alobbs.com/modules.php?op=modload&name=macc&file=index > > "Features > * Set specific MAC address of a network interface > * Set the MAC randomly > * Set a MAC of another vendor > * Set another MAC of the same vendor > * Set a MAC of the same kind (eg: wireless card) > * Display a vendor MAC list (today, 6800 items) to choose from"This is probably me, but my gut feeling says that is *does* increase security when you only allow ~100 MAC addresses out of a 10^14 range. In other words, it would be hard to guess a good one (harder than 1/(10^12)). Can anyone explain? Thanks, -- - Pieter
> This is probably me, but my gut feeling says that is *does* increase > security when you only allow ~100 MAC addresses out of a 10^14 range. In > other words, it would be hard to guess a good one (harder than 1/(10^12)). > > Can anyone explain? > > Thanks, > -- > - PieterIt''s a simple matter to sniff the network traffic in order to learn which MAC addresses are not filtered, and then act accordingly. This is especially true on wireless network segments, which was, I believe, the OP''s scenario.
http://ettercap.sourceforge.net/ Ettercap will let you scan for hosts, and supply a list of MAC addresses and their corresponding IP addresses. Ettercap can then do its magic (poisoning a switch) or the intruder can change their MAC address with the tool below. Just watching the data would probably give an idea of which one to spoof. On Sun, 2005-04-17 at 10:44 +0200, Pieter Ennes wrote:> Hi people, > > ryanag@zoominternet.net wrote: > > http://www.alobbs.com/modules.php?op=modload&name=macc&file=index > > > > "Features > > * Set specific MAC address of a network interface > > * Set the MAC randomly > > * Set a MAC of another vendor > > * Set another MAC of the same vendor > > * Set a MAC of the same kind (eg: wireless card) > > * Display a vendor MAC list (today, 6800 items) to choose from" > > This is probably me, but my gut feeling says that is *does* increase > security when you only allow ~100 MAC addresses out of a 10^14 range. In > other words, it would be hard to guess a good one (harder than 1/(10^12)). > > Can anyone explain? > > Thanks,